COMPUTER VIRUS EPIDEMIC
1987-1991
ONLINE TODAY'S BACKGROUNDER: COMPUTER
"VIRUS," PART ONE
(Editor's note: Computer "viruses" --
self-propagating programs that spread
from one machine to another and from one
disk to another -- have been very much
in the news. This file contains
virus-related stories carried by Online
Today's electronic edition since the
outbreak in November 1987 through March
1988.)
"VIRUS" INFECTS COMMODORE COMPUTERS
(Nov. 20)
A "virus" has been infecting
Commodore's Amiga computers, and what
was once considered an innocent bit of
hacking has turned into a disaster for
some users.
The "virus" is a secret modification
to the boot block, an area on many disks
using operating system facilities of the
Amiga. In addition to its transparent
purpose --- starting the operating
system -- the virus contains code that
can infect other disks. Once a virus
infected disk is used on a computer, the
computer's memory becomes a breeding
ground and all other bootable disks that
find their way to that computer will
eventually become infected. Any exchange
of diskettes with another computer then
infects the new computer.
Although the original intention of the
virus apparently was benign, it may have
spread to thousands of Amiga computers
and disrupted their normal operations.
Since some commercial software
developers use coded information in the
boot block of their distribution disks,
the virus can inadvertently damage these
disks and render the software useless.
Knowledgeable users say the virus was
meant to be a high-tech joke that
displayed a message after it had
completely infiltrated a user's disks
library.
According to Amiga technical support
personnel, the only sure way for users
to keep the virus out of their systems
is to avoid warm starting the computer.
It should always be powered down first.
--
VIRUS MOVES TO IBM COMPUTERS
(Dec. 7)
On the heels of the Amiga virus,
reported recently in Online Today, a new
apparently less benign virus has been
making the rounds of IBM personal
computers. The IBM-related virus was
first noted at Lehigh University where,
last week, a representative in the User
Services section reported its discovery
by student consultants.
As with other similar viruses, this
one is spread by means of an infected
system file. In this case, a hacked
version of IBM's COMMAND.COM processor
is the host that harbors the virus.
Once infected, the host PC will then
infect the first four computers with
which it comes in contact. In all cases,
the virus is spread through an illegally
modified version of the IBM command
processor.
Once the host has infected four other
computers, the host virus is reported to
purposely destroy the boot tracks and
allocation tables for all disks and
diskettes that are online to the host
computer. The action renders the disks
completely unreadable, even when
reconstructs are attempted with popular
disk repair software.
The consultant at Lehigh University
who first alerted general users to the
virus says that it can be detected by
examining the date on the COMMAND.COM
file. A recent date would suggest that
the file had been illegally modified.
--
CHRISTMAS GREETINGS MESSAGE TIES UP
IBM'S ELECTRONIC MAIL SYSTEM
(Dec. 12)
IBM nearly lost its Christmas spirit
yesterday. It seems that a digital
Christmas card sent through its
electronic mail system jammed computers
at plants across the United States for
up to 90 minutes.
The Associated Press quotes IBM
spokesman Joseph Dahm as saying the
incident caused no permanent damage, but
forced the company to turn off links
between computer terminals for a while.
AP says, "Curious employees who read
the message discovered an illustration
of a Christmas tree with 'Holiday
Greetings' superimposed on it. A caption
advised, 'Don't browse it, it's more fun
to run it.' Once a person opened the
computer message on their screen, it
rarely accepted a command to stop the
message from unfolding on the screen. As
a result, several people shut off their
computers and lost reports or mail that
had not previously been filed."
Apparently the message also
automatically duplicated itself and was
sent to other workstations.
Online plants in Texas and New York
were affected, Dahm said. Meanwhile,
sources said that other facilities in
Charlotte, N.C.; Lexington, Ky.;
California and Europe also received the
message.
Federal agents even may investigate
the incident, the wire service says,
since the message apparently crossed
state lines.
--
COMPUTER VIRUS THREATENS HEBREW
UNIVERSITY'S EXTENSIVE SYSTEM
(Jan. 8)
In Jerusalem, Hebrew University
computer specialists are fighting a
deadline to conquer a digital "virus"
that threatens to wipe out the
university's system on the first Friday
the 13th of the year. That would be May
13.
Associated Press writer Dan Izenberg
says the experts are working on a
two-step "immune" and "unvirus" program
that could knock down the vandalized
area of the system.
"Viruses" are the latest in computer
vandalism, carrying trojan horses and
logic bombs to a new level, because the
destructiveness is passed from one
infected system to another. Izenberg
quotes senior university programmer
Yisrael Radai as saying that other
institutions and individual computers in
Israel already have been contaminated.
"In fact," writes the wire service,
"anyone using a contaminated computer
disk in an IBM or IBM-compatible
computer was a potential victim."
Radai says the virus was devised and
introduced several months ago by "an
evidently mentally ill person who wanted
to wield power over others and didn't
care how he did it."
AP describes the situation this way:
"The saboteur inserted the virus into
the computer's memory and the computer
then infected all disk files exposed to
it. Those disk files then contaminated
healthy computers and disks in an
electronic version of a contagious
cold."
Apparently, the intruder wanted to
wipe out the files by Friday, May 13,
but may have gotten impatient, because
he then had his virus order contaminated
programs to slow down on Fridays and on
the 13th day of each month.
Radai thinks that was the culprit's
first mistake, because it allowed
researchers to notice the pattern and
set about finding the reason why.
"Another clue," says AP, "was derived
from a flaw in the virus itself. Instead
of infecting each program or data file
once, the malignant orders copied
themselves over and over, consuming
increasing amounts of memory space. Last
week, experts found the virus and
developed an antidote to diagnose and
treat it."
Of viruses in general, computer expert
Shai Bushinsky told AP, "It might do to
computers what AIDS has done to sex. The
current free flow of information will
stop. Everyone will be very careful who
they come into contact with and with
whom they share their information."
--
TAMPA COMPUTERISTS FIGHT VIRUS
(Jan. 10)
Tampa, Fla., computerists say they are
fighting a digital "virus" that sounds
as if it may be the same crank program
now plaguing a university in Jerusalem.
As reported earlier, Hebrew University
computer specialists are contending with
a virus program that threatens to wipe
out the university's system on the first
Friday the 13th of the year -- May 13.
The Jerusalem team is working on a
two-step "immune" and "unvirus" program
that could knock down the vandalized
area of the system.
Meanwhile, members of the Tampa Amiga
User's Group now tell United Press
International that they, too, are
fighting a computer virus, and UPI
quotes one expert as saying a version of
that vandalizing program also is
designed to begin destroying files on
May 13.
Computer viruses are self-propagating
programs that spread from one machine to
another and from one disk to another, a
sort of new generation of more
destructive trojan horses and logic
bombs.
"It kinda creeps up on you," president
Jeff White of the Amiga group told the
wire service, adding that the group's
membership was infiltrated by the
program.
UPI reports, "Experts don't yet know
what, if any, damage the virus can cause
to the disks or programs. Similar
problems have erased programs and
information. ... White said the program
spread itself to more than 20 of his
floppy disks before he discovered it.
But by then, the program had spread to
the disks of many of the club's members
via its regular disk-of-the-month
distribution."
White said he doesn't know how the bug
got to Tampa, but suspects it came from
West Germany on a disk from an overseas
user group.
"White said the program works
invisibly," says UPI. "When the computer
is turned on, the program stores itself
in the machine's main memory and then
begins spreading copies of itself to new
disks used in the machine."
He added that the Tampa club members
now use a "virus-checker" program to
test disks to prevent another infection.
--
VIRUS PROGRAMS COULD HAVE USEFUL
APPLICATIONS, SAYS COLUMNIST
(Jan. 11)
Despite all the recent negative
publicity about computer "viruses" --
self-propagating programs that spread
from one machine to another in way that
has been called the computer version of
AIDS -- a California computer columnist
says there could be a positive result.
Writing in The San Francisco Examiner,
John Markoff observes, "In the future,
distributed computing systems harnessed
by software programs that break tasks
into smaller parts and then run portions
simultaneously on multiple machines will
be commonplace. In the mid-1970s
computer researchers John Shoch and Jon
Hupp at Xerox's Palo Alto Research
Center wrote experimental virus programs
designed to harness many computers
together to work on a single task."
Markoff points out that some of the
programs in that work functioned as
"'town criers' carrying messages through
the Xerox networks; others were
diagnostic programs that continuously
monitored the health of the computers in
the networks."
Also the researchers called one of
their programs a "vampire worm" because
it hid in the network and came out only
at night to take advantage of free
computers. In the morning, it
disappeared again, freeing the machines
for human users.
For now, nonetheless, most viruses --
particularly in the personal computing
world -- are viewed as destructive
higher forms of trojan horses and logic
bombs.
Markoff traces the first virus to the
military ARPAnet in 1970. On that
system, which links the university,
military and corporate computers,
someone let loose a program called
"creeper."
Notes the paper, "It crawled through
the network, springing up on computer
terminals with the message, 'I'm the
creeper, catch me if you can!' In
response, another programmer wrote a
second virus, called 'reaper' which also
jumped through the network detecting and
'killing' creepers."
Markoff also pointed out that Bell
Labs scientist Ken Thompson, winner of
the prestigious Turing Award, recently
discussed how he created a virus in the
lab to imbed in AT&T's Unix operating
system, which he and colleague Dennis
Ritchie designed.
In a paper, Thompson noted how he had
embedded a hidden "trapdoor" in the Unix
log-on module each time it created a new
version of the operating system. The
trapdoor altered the log-on mechanism so
that Unix would recognize a password
known only to Thompson.
Thompson and Ritchie say the Unix
virus never escaped Bell Labs.
--
SUBSCRIBER, SYSOP BLOCK POSSIBLE "VIRUS"
IN APPLE HYPERCARD FORUM
(Feb. 8)
Quick reactions by a subscriber and a
veteran forum administrator have blocked
a possible computer "virus" program that
was uploaded over the weekend to
CompuServe's new Hypercard Forum.
The suspicious entry was an Apple
Hypercard "stack" file called
"NEWAPP.STK," which was uploaded Friday
to the forum's Data Library 9,
"HyperMagazines." It was online for
about 24 hours before it was caught.
Subscriber Glenn McPherson was the
first to blow the whistle. Saturday
night McPherson posted a message saying
that when he ran the application, the
file altered his Macintosh's systems
file. "I don't know why it did this," he
wrote, "but no stack should touch my
system file."
Neil Shapiro, chief forum
administrator of the Micronetworked
Apple Users Group (MAUG), quickly
investigated and removed the suspicious
file.
In a bulletin to the membership,
Shapiro warned those who already had
downloaded NEWAPP.STK that the stack
would alter the system files with
unknown results. He also warned against
using system files from any disk that
was run while the NEWAPP.STK's modified
system was in effect.
Said Shapiro, "If you run NEWAPP.STK,
it will modify the system on the disk it
is on so that the system's INITs contain
an INIT labeled 'DR.' Then, if you use
another system with the DR-infected
system as your boot system, the new
system will also contain the
self-propagating 'DR' INIT Resource.
While it is possible to, apparently,
'cut' this resource from infected
systems with the Resource Editor, the
only sure course of action is to trash
any system file that has come in contact
with this stack."
It was not immediately known if the
system alternations were deliberately or
accidentally programmed into NEWAPP.STK.
Shapiro notes the file's uploader has
been locked off the entire system and
that "he will be contacted by CompuServe
and/or myself."
Computer "viruses" -- self-
propagating programs that infect system
files and then spread to other disks --
have been in the news for the past six
months. To- date, most of their targets
have been regional computer users
groups, private and semi-public networks
and stand-along bulletin board systems.
This apparently is the first report of a
virus-like program on a national
consumer information service.
Shapiro says in his bulletin that in
eight years of the various Apple forums'
operation, this is the only such
occurrence.
"While I, of course, cannot say it
will be the last, I still have just as
much confidence as always in the fact
that 99.99999999% of the Mac community
are quite trustworthy and that there is
no real need to fear downloads," he
wrote.
Shapiro also urged his membership, "If
you have not used (NEWAPP.STK) yet, do
not! If you have uploaded it to other
BBS or network systems, please
immediately advise the sysops there of
the problem. If you have placed it on a
club disk, please be certain to remove
it from that disk before distribution
and -- if it has been run from the
'Master' disk already -- don't just
remove it, but trash the system."
Subscriber McPherson indicates the
suspect file already has spread to other
systems. His forum note says he found
the same stack program also in a
software library on the General
Electric's GEnie network.
--
DOD TRIES TO PROTECT ITS COMPUTERS FROM
ELECTRONIC VIRUS
(Feb. 9)
Just as a medical virus can spread
rapidly, so does the deadly computer
virus seem to be making the rounds.
In an effort to inoculate itself
against an outbreak, the Department of
Defense has taken steps to prevent the
electronic sabotage from affecting its
computers, reports Government Computer
News.
The computer viruses are self-
propagating programs that are designed
to spread automatically from one
computer to another and from one disk to
another, totally disrupting normal
operations.
As reported in Online Today, such
viruses have already struck computer
systems at Hebrew University in
Jerusalem and IBM Corp.'s regional
offices in Tampa, Fla.
"It can spread through computer
networks in the same way it spreads
through computers," said DOD spokeswoman
Sherry Hanson. "The major problem areas
are denial of service and compromising
data integrity." In addition to basic
security measures, computer scientists
at the National Security Agency are
installing programming tools and
hardware devices to prevent the
infiltration of virus programs. Hanson
told GCN that DOD is also using
specialized ROM devices and intrusion
detectors. The virus only comprises a
few lines of programming code and is
easy to develop with few traces.
After IBM was infiltrated last
December with an innocent- looking
Christmas message that kept duplicating
itself many times over and substantially
slowed the company's massive message
system, specialists installed a filter
program to monitor the system and
protect against further intrusion.
According to GCN, executable programs
can't be transferred from one computer
to another within IBM's network.
Even personal computer users are
worried, since the virus remains hidden
in a computer's main memory. For
instance, almost the entire membership
of a Florida Commodore Amiga users group
was infected by a virus before it was
discovered.
The president of the group said he
believed the virus originated in Europe
on a disk of programs the group received
from an overseas source. The club now
has a checker program to check disks for
viruses before they are used.
Al Gengler, a member of the Amiga
group, compared the virus to AIDS.
"You've got to watch who you compute
with now," he said.
--Cathryn Conroy
EXPERTS SEES TWO SCENARIOS FOR THE
COMPUTER "VIRUS" PROBLEM
(Feb. 9)
Don Parker, who heads the information
security program for the Menlo Park,
Calif., SRI International, has been
studying the problem of computer
"viruses" and now says he see two
possible directions in the future.
Speaking with Pamela Nakaso of the
Reuter Financial News Service, Parker
said his scenarios are:
-:- One, that viruses will be too
difficult to design and use for
infiltration, and that interest in using
them as "weapons" will die away.
-:- Or, two, viruses will increase in
destructiveness as more sophisticated
saboteurs use them to destroy the public
domain software resources available.
Nakaso also quotes editor Harold
Highland of the magazine Computers and
Security as saying that "hysteria" over
the few documented incidents may fuel
even more viruses, which are defined as
self-propagating files that usually
damage a computer's systems files and
then spread to other disks.
Highland pointed out that in a recent
Australian virus case among Amiga
computers, one tabloid newspaper
reported the incident with a headline
that spanned the entire cover, reading,
"Terror Strikes in the DP Industry."
Parker told Reuter, "The vulnerability
is growing at the same rate as the
number of computers and number of
communications with computers."
Nakaso writes, "Parker estimates that
of the 2,000 cases of documented
computer crime he has compiled at SRI,
about 20 to 30 have been virus attacks.
There is no question, however, the
reported incidents are rising, and they
are expanding beyond personal computers
to mainframes and other networks."
--
COMPUTER VIRUS CALLED FRAUD
(Feb. 10)
Computer viruses may be frauds.
Although lots of people are talking
about computerdoms latest illicit fad,
to date, no one has produced a copy of a
living breathing virus. Now, a
University of Utah expert on urban
legends thinks that the dreaded virus
may be have become the high tech version
of the bogey man.
Professor Jan Harold Brunvand has
written three books about urban legends
and he seems to think that the virus is
just the latest incarnation in a long
line of legends. Brunvand, and others,
have pointed out that there are striking
similarities among reports of the virus
and legends such as the cat in the
microwave oven. For one thing, there are
lots of reported sightings but no
concrete evidence. And urban legends
always seem to appear and affect those
things about which urban dwellers are
just coming to terms with: shopping
malls and microwave ovens in the 70's,
computers in the 80's.
In today's society, a berserk computer
that destroys its owner's data certainly
qualifies as the stuff about which
legends are made. Even the way in which
the deed is accomplished has mystical
qualities: a computer wizard works
strange magic with the secret
programming codes of a computer
operating system.
Brunvand, a computer owner himself,
says that although viruses could be
created, he has found absolutely no
evidence to support claims about their
existence.
--
HYPERCARD VIRUS JUDGED "HARMLESS"
(Feb. 12)
Administrators of a CompuServe forum
supporting the Apple Hypercard
technology have confirmed that a file
uploaded to their data libraries last
weekend did indeed contain a so-called
computer "virus."
However, they also have determined the
program apparently was harmless, meant
only to display a surprise message from
a Canadian computer magazine called
MacMag.
As reported earlier this week, forum
administrator Neil Shapiro of the
Micronetworked Apple Users Groups (MAUG)
removed the suspicious entry, a
Hypercard "stack" file called
"NEWAPP.STK," after a forum member
reported that the file apparently
altered his Macintosh's system files.
Computer "viruses," a hot topic in the
general press these days, have been
defined as self-propagating programs
that alter system files and then spread
themselves to other disks.
Since removing the file last weekend,
the Apple administrators have been
examining the file and now Shapiro says
it apparently was designed merely to
display a message from MacMag on March
2.
On the HyperForum message board (G
APPHYPER), Shapiro reports, "Billy
Steinberg was able to reverse engineer
(disassemble) the INIT that the virus
places into system files. The good news
is that the virus is harmless. But it
*is* a computer virus."
Shapiro says that if the downloaded
file remained in the user's system, then
on March 2, the screen would display:
"Richard Brandnow, publisher of
MacMag, and its entire staff would like
to take this opportunity to convey their
universal message of peace to all
Macintosh users around the world."
Apparently the file is so designed
that after March 2 it removes itself
from the user's system.
Shapiro notes that, while this file
apparently is harmless, it still raises
the question of the propriety of
database entries that quietly alter a
user's system files.
Shapiro said he has spoken to
publisher Brandnow. "It was not his
intention to place it in a HyperCard
stack nor to have it on (CompuServe),"
Shapiro writes. "What he did do was to
develop the INIT in December and 'left'
it on their (MacMag's) own machines with
the hope that 'it would spread.'"
Subsequently, someone else apparently
captured the file, added it to his
"stack" and uploaded to the CompuServe
forum and other information services.
While Brandnow maintains the
system-altering INIT file was harmless,
Shapiro says he's concerned about what
the NEWAPP.STK incident could represent.
"While the INIT itself is
non-destructive," Shapiro wrote, "I
believe it was at least irresponsible
for MacMag to have perpetrated this type
of problem and to have caused the
confusion that they did. I also fear
that this could give other people ideas
on less peaceful uses of such a virus.
"I believe that MacMag has opened here
a Pandora's Box of problems which will
haunt our community for years. I hope I
am wrong."
--
PUBLISHER DEFENDS HIS "VIRUS" PROGRAM AS
"GOOD FOR COMMUNITY"
(Feb. 13)
The publisher of Canadian computer
magazine MacMag contends the computer
"virus" program his staff initiated
recently was not only harmless but was
"good for the Macintosh community."
Says 24-year-old Richard Brandow, "If
other people do nasty things (with virus
programs), it is their responsibility.
You can't blame Einstein for Hiroshima."
Speaking by phone with reporter Don
Clark of The San Francisco Chronicle,
Brandow maintained his magazine's virus
program, which spread through the Apple
Macintosh community this week on this
continent and apparently reached Europe,
was intended to do nothing more than
display a "peaceful" message on Mac
screens on March 2, the first
anniversary of the introduction of the
Apple Mac II.
Of the so-called "virus" technology,
Brandow said, "This message is very good
for the Macintosh community."
The controversy centered around an
Apple Hypercard "stack" file called
"NEWAPP.STK" that was uploaded to
various public domain databases around
the country, including the data library
of CompuServe's HyperForum (G APPHYPER).
When subscribers discovered that the
file quietly altered their Mac's system
files when it was executed, a warning
was posted and forum administrator Neil
Shapiro immediately removed the data
library entry. Only after the forum's
sysops had disassembled the suspect file
could it be determined that NEWAPP.STK's
only apparent function was to display a
March 2 greeting from Brandow and the
MacMag staff.
HyperForum members now have been
informed that the file, while indeed a
"virus," apparently is harmless.
However, Shapiro contends MacMag
staffers were "at least irresponsible
... to have perpetrated this type of
problem and to have caused the confusion
that they did."
Shapiro is quoted in The Chronicle as
adding, "This is very similar to someone
breaking into your home and writing a
message of good will in red lipstick on
your wall. It is a violation of the
right of private property... Our
computers are machines that belong to us
and other people should remain out of
them."
On the other side of the argument,
Brandow told the paper, "The idea behind
all this is to promote peaceful methods
of communication between individuals
using harmless ways."
Montreal-based MacMag, with a
circulation of 40,000, is Canada's only
Macintosh magazine. Brandow also heads a
1,250-member Mac user group, which he
says is Canada's largest.
Brandow told Clark that programmers
worked more than a year on the virus,
adding that it was inspired by two
groups, known as "The Neoists" and "The
Church of the SubGenius." (He said the
latter was formed in Texas as a satire
on fundamentalist religion and inspired
a 1983 book.)
As noted here earlier, the MacMag
virus also reached beyond CompuServe to
other information services and private
bulletin board systems. For instance,
The Chronicle quotes General Manager
Bill Louden of General Electric's GEnie
as saying that about 200 users
downloaded the file from that
information service before it was
discovered and removed early Monday.
Meanwhile, Shapiro told Clark that only
about 40 of CompuServe's subscribers
retrieved the file before it was removed
early Sunday.
The Chronicle says that Mac devotees
in the Bay Area were "stunned" by news
of the virus, but not all were upset.
For example, Apple wizard Andy
Hertzfeld, a co-designer of the original
Mac, told the paper, "As far as I'm
concerned, it doesn't have any malicious
intent and is just some people having
fun. I don't see why people are so
uptight."
Meanwhile, a spokeswoman for Apple at
company headquarters in Cupertino,
Calif., said the company is searching
for details of the virus and could not
comment on it at present.
--
TWO FIRMS OFFER TO "INOCULATE" US
AGAINST THE COMPUTER "VIRUSES"
(March 4)
The debate continues over whether
computer "viruses" are real or just the
latest urban legend, but at least two
companies are hoping that we don't want
to take any changes.
Independent of each other, the firms
this week both claimed to have the first
commercial software to "inoculate"
systems against those reported rogue
programs that damage data and systems
files.
One of the companies, Lasertrieve Inc.
of Metuchen, N.J., introduced its
VirALARM product during Microsoft
Corp.'s CD-ROM conference in Seattle.
In addition, in Stockholm, a Swedish
company called Secure Transmission AB
(Sectra) today announced a similar
anti-virus program called TCELL, after a
counterpart in human biology.
A Lasertrieve statement contends that
previous anti-viral software utilities
-- mostly offered in the public domain
-- work by drawing attention to the
virus's attempted alterations of system
files, noting a change of file size, or
monitoring the dates of program changes.
However, the New Jersey firm contends,
this approach makes such programs
"easily fooled by sophisticated
viruses."
Lasertrieve says its VirALARM contains
a program designed to protect another
program, creating a software "barrier."
According to the statement, before
anyone can use the protected program,
VirALARM checks to determine whether the
program has been altered since it was
inoculated. If there has been any
change, the software then blocks use of
the altered program, notifies the user
and suggests a backup copy of the
program be substituted.
Meanwhile, Bo-Goran Arfwidsson,
marketing director of the Swedish
company, told Bengt Ljung of United
Press International that its TCELL
"vaccine" gives a database a partial
outside protection, sounds an alarm if a
computer virus appears inside a database
and identifies the infected file so it
can be isolated. The contaminated part
then can be replaced with a backup file.
Sectra spokesman Torben Kronander said
that TCELL has been "tested for a year
now and there is no question that it
works," adding that since early 1987 the
software has functioned on computers of
major Swedish manufacturing companies.
Arfwidsson declined to name those
companies for security purposes.
Kronander said TCELL simply made the
task of creating a virus so complicated
that only vast computer systems would be
able to carry it out. "We've effectively
removed the hacker type of attack, and
these have been the problem. It will
take the resources of a major software
producer or a country to produce a virus
in the future."
UPI says Sectra is a 10-year-old
research company with 19 employees in
Linkoping in central Sweden, closely
tied to the city's Institute of
Technology.
--
"VIRUS" SPREADS TO COMMERCIAL PROGRAM;
LEGAL ACTION CONSIDERED
(March 16)
That so-called "benign virus" that
stirred the Apple Macintosh community
earlier this year when it cropped up in
a public domain file in forums on
CompuServe and other information
services now apparently has invaded a
commercial program called FreeHand.
The publisher, Seattle's Aldus Corp.,
says it had to recall or rework some
5,000 FreeHand packages once the virus
was discovered and now is considering
legal action against those who admitted
writing the self- propagating program.
Meanwhile, other major software
companies reportedly are worried that
the virus may have affected some of
their products as well.
At the heart of the controversy is a
"peace message" that Canadian Richard
Brandow, publisher of Montreal's MacMag
magazine, acknowledged writing. As
reported here earlier, that file was
designed to simply pop up on Mac screens
around the world on March 2 to celebrate
the first anniversary of the release of
the Macintosh II. However, many Mac
users reacted angrily when they learned
that the file quietly had altered their
systems files in order to make the
surprise message possible.
Now the virus has re-emerged, this
time in FreeHand, a new Mac program
Aldus developed. Aldus spokeswoman Laury
Bryant told Associated Press writer
George Tibbits that Brandow's message
flashed when the program was loaded in
the computer.
Bryant added that, while it "was a
very benign incident," Aldus officials
are angry and "are talking with our
attorneys to understand what our legal
rights are in this instance.... We feel
that Richard Brandow's actions deserve
to be condemned by every member of the
Macintosh community."
This may be the first instance of a
so-called "virus" infecting commercial
software.
Tibbits says the Brandow virus
apparently inadvertently spread to the
Aldus program through a Chicago
subcontractor called MacroMind Inc.
MacroMind President Marc Canter told
AP that the virus appears to have been
in software he obtained from Brandow
which included a game program called
"Mr. Potato Head," a version of the
popular toy.
Canter said that, unaware of the
digital infection, he ran the game
program once, then later used the same
computer to work on a disk to teach Mac
owners how to use FreeHand. That disk,
eventually sent to Aldus, became
infected. Then it inadvertently was
copied onto disks sold to customers and
infected their computers, Canter said.
Upset with Brandow, Canter says he
also is considering legal action. For
his part, Brandow says he met Canter,
but denied giving him the software.
The whole incident apparently has some
at other companies worried because they
also use Canter's services. Tibbits says
that among MacroMind's clients are
Microsoft, Ashton-Tate, Lotus
Development Corp. and Apple Computers.
A-T has not commented, but officials at
Microsoft, Apple and Lotus all told AP
that none of their software was
infected.
Meanwhile, Brandow told Tibbits that,
besides calling for world peace, the
virus message was meant to discourage
software piracy and to encourage
computer users to buy original copies.
The full message read: "Richard
Brandow, the publisher of MacMag, and
its entire staff would like to take this
opportunity to convey their universal
message of peace to all Macintosh users
around the world." Beneath that was a
picture of a globe.
Brandow said that originally he
expected people making unauthorized
copies of programs on the machine would
spread the virus in the Montreal area
and possibly a few other areas of Canada
and the United States. However, he said
he was shocked later to find that, after
the virus program began to appear in the
databases of online information
services, an estimated 350,000 people in
North America and Europe saw the message
pop up on their computers on March 2.
--
Last page !m
Online Today OLT-2039
COMPUTER VIRUS EPIDEMIC
1 Backgrounder, Part I
2 Backgrounder, Part II
3 Backgrounder, Part III
4 Backgrounder, Part IV
5 Backgrounder, Part V
6 Backgrounder, Part VI
Enter choice !2
Online Today OLT-3125
ONLINE TODAY'S BACKGROUNDER: COMPUTER
"VIRUS," PART TWO
(Editor's note: Computer "viruses" --
self-propagating programs that spread
from one machine to another and from one
disk to another -- have been very much
in the news. This file contains
virus-related stories carried by Online
Today's electronic edition from April
through November 1988.)
Press for more !s
THREAT OF "VIRUS" BLOWN OUT OF
PROPORTION, NORTON AND SYSOPS SAY
(April 10)
The threat of so-called computer
"viruses" has been vastly overrated,
according to software guru Peter Norton
and two CompuServe forum administrators.
"We're dealing with an urban myth,"
Norton told Insight magazine. "It's like
the story of alligators in the sewers of
New York. Everyone knows about them, but
no one's ever seen them. Typically,
these stories come up every three to
five years."
Don Watkins, administrator of
CompuServe's IBM Users Network forums
(GO IBMNET) also told the general
interest magazine that he's more
concerned about being hit by a meteor
than a computer virus.
"In five years," Watson said, "I've
seen only one program that was designed
to do intentional damage. That was about
three years ago, and it wasn't very
sophisticated.
"I have never spoken to anyone who
personally, firsthand, has ever seen or
experienced a program like this," Watson
added, "and my job keeps me in touch
with tens of thousands of people."
CompuServe forum administrators check
each piece of user-contributed software
before posting it in data libraries for
general distribution.
The alleged virus problem received
widespread attention in early March when
an unauthorized message was placed onto
Freehand, a commercial software product
for the Apple Macintosh published by
Aldus Corp. Earlier, the same message
circulated in several information
services and was uploaded to
CompuServe's Hyper Forum, a forum
devoted to the Hypertext technology that
is part of the Micronetworked Apple
Users Groups (GO MAUG).
The message read "Richard Brandow,
publisher of MacMag, would like to take
this opportunity to convey a universal
message of peace to all Macintosh
users." It then erased itself without
doing any harm.
Of the situation, Neil Shapiro, MAUG's
chief sysop, said, "The whole problem
has been completely hyped out of
proportion."
--Daniel Janal
COMPUTER VIRUS NEWSLETTER DEBUTS
(April 13)
If you want to follow all the latest
news on insipid computer viruses, you
might be interested in the debut of
"Computer Virology," a newsletter
devoted to identifying and analyzing
those annoying computer diseases.
Produced by Director Technologies
Inc., the developers of Disk Defender, a
hardware device that write protects PC
hard disks, the newsletter will be
published monthly. Topics will include
developments for protection against the
viruses, precautions and procedures to
follow to insure that terrorists not let
loose this rampant epidemic.
"The latest strain of computer viruses
presently causing serious damage at
university labs, scientific research
facilities, hospitals and business
organizations worldwide, has created a
very real concern for the future of
having free access to the tremendous
amounts of information that are now
readily available for unlimited use,"
said Dennis Director, president of
Director Technologies.
"The potential dangers of such viruses
is that they can be used not only as a
means to facilitate malicious pranks in
the home computer area, but also pose a
real `terrorist' threat to academic
computing labs, scientific research
projects and business. Data loss can
cost hundreds of thousands of dollars in
real money, as well as in wasted
man-hours."
The newsletter is distributed free of
charge. For information or to subscribe,
contact Director Technologies Inc., 906
University Pl., Evanston, IL 60201.
312/491-2334.
SIR-TECH UNVEILS ANTI-VIRUS
(April 14)
Sir-tech Software Inc., the
Ogdensburg, N.Y., firm best known for
its recreational programs such as the
acclaimed "Wizardry" series of adventure
games, now has released a free program
called "Interferon, the Magic Bullet"
that it says is meant to "halt the
devastation of computer virus."
A company statement reports that
Robert Woodhead, 29-year-old director of
Sir-tech's Ithaca, N.Y., development
center, designed the Apple Macintosh
program to "detect and destroy the
highly-publicized computer virus which
threatens the integrity of the world's
computer systems."
Sir-tech says the program will be
offered free for downloading from
related services on CompuServe and
GEnie. In addition, it is available by
mailing a diskette with a
self-addressed, stamped envelope to
Sir-tech, 10 Spruce Lane, Ithaca, N.Y.
14850.
While the program itself is free,
Woodhead asks for donations to a fund
established to buy computer equipment
for visually impaired users. A notice in
the software gives details on the fund.
Woodhead said he has worked since
early this year to come up with
Interferon, named for the antiviral
treatment for cancer. "Just as a virus
leaves clues in a human body, the
computer virus is detectable if users
know what to look for," Woodhead said.
The Interferon program recognizes
changes that computer viruses make as
they spread their infection and will
indicate that there is something amiss,
the statement said. "The infection can
be cured by deleting the diseased
files," it added. "As new viruses are
discovered, Interferon will be updated
for instant detection."
--
NEW VIRUS PLAGUES MACINTOSHES AT NASA
AND APPLE
(April 18)
Apple Macintosh computers at the
National Aeronautics and Space
Administration and at Apple Computer as
well as other business offices around
the country have caught a new computer
virus, reports Newsday.
The latest high-tech plague is under
investigation by Apple and federal
authorities.
During the past three weeks, Apple has
been receiving reports of a virus called
Scores. Although it has not been known
to erase any data, it can cause
malfunctions in printing and accessing
files and can cause system crashes,
Cynthia Macon of Apple Computer told
Newsday.
Two hundred of the 400 Macintosh
computers at the Washington, D.C.
offices of NASA have been infected.
Many of them are connected to local area
networks and are spreading the virus.
"This particular virus does not attack
data. We have no record indicating
anyone lost anything important," said
Charles Redmond, a NASA spokesman.
Newsday notes that the Scores virus
can be detected by the altered symbols
that appear in Scrapbook and Note Pad,
two Macintosh files. Instead of the Mac
logo, users see a symbol that looks like
a dog-eared piece of paper. Two days
after the virus is transmitted, it is
activated and begins to randomly infect
applications, such as word processing
and spreadsheet programs.
EDS Corp. of Dallas, Texas was also
infected with the Scores virus, but
managed to stop its spread.
-- Cathryn Conroy
FRIDAY THE 13TH "VIRUS" FIZZLES
(May 14)
Good morning, computerdom! It's
Saturday the 14th and we're all still
here. At least, we all SEEM to still be
here, though some are saying it's too
early to tell for sure.
Yesterday, the first Friday the 13th
of the year, was widely reported to be
the target date for the denotation of a
computer virus called "Black Friday"
which was first discovered in the
computers of the Hebrew University in
Jerusalem late last year. The virus,
which was reported to have spread from
Jerusalem to computers around the world,
was said to be designed to destroy
computer files on May 13.
However, no early reports of damage
have surfaced. Computer experts in
Jerusalem told Associated Press writer
Karin Laub that the so-called virus was
undone because most computer users were
alerted in time. Hebrew University
researchers detected the virus on Dec.
24 because of a flaw in its design,
according to senior programmer Yisrael
Radai.
Nonetheless, a few experts are saying
that we aren't out of the woods yet.
For instance, Donn Parker of the SRI
International research firm in Menlo
Park, Calif., told The Washington Post
this morning that he hadn't heard of any
virus-related damage, "but we have been
holding our breath. I think it will be a
dud, but we won't know until next week,
and only then if people whose computers
go down talk about it."
Some software companies tackled the
virus scare. AP reports that the Iris
software publisher of Tel Aviv developed
an anti-virus program for the Israeli
computing community and sold 4,000
copies before yesterday. President Ofer
Ahituv estimated that 30 percent of his
6,000 customers, most of them
businesses, had been infected by the
Black Friday virus.
Meanwhile, some are saying the
apparent fizzle of the virus is what
they expected all along.
"Viruses are like the bogyman," said
Byron C. Howes, a computer systems
manager at the University of North
Carolina at Chapel Hill. Speaking with
AP, he compared programmers who believe
in viruses to "people who set little
bowls of milk outside our doors to feed
the dwarfs."
Barry B. Cooper, owner of Commercial
Software in Raleigh, N.C., agreed. "I
just think that the whole thing is a
joke," like the prediction by medieval
seer Nostradamus of a major earthquake
on May 8, 1988. "That didn't come true,
and this won't come true."
--
R.I. NEWSPAPER DISLODGES VIRUS
(May 16)
The Providence, R.I., Journal-Bulletin
says it worked for the past week and a
half to stamp out a "virus" that
infected an in-house personal computer
network used by reporters and editors,
but not before the virus destroyed one
reporter's data and infected scores of
floppy disks.
Writing in The Journal, Jeffrey L.
Hiday said the virus was "a well-known,
highly sophisticated variation called
the 'brain' virus, which was created by
two brothers who run a computer store in
Lahore, Pakistan."
Variations of the virus, he noted,
have been discovered at companies and
colleges across the country, including,
last week, Bowie State College in
Maryland, where it destroyed five
students' disks. Online Today reported
on April 23 that a similar
Pakistan-based virus infected a student
system used at Miami University in Ohio,
threatening to wipe out term papers
stored there.
Apparently this is the first time a
virus has invaded a US newspaper's
system.
Hiday said The Journal contacted one
of the Pakistan brothers by phone, who
said he created this particular virus
merely to keep track of software he
wrote and sold, adding that he did not
know how it got to the United States.
However, Hiday added, "US computer
programming experts ... believe the
Pakistanis developed the virus with
malicious intent. The original version
may be relatively harmless, they point
out, but its elegance lends itself to
alterations by other programmers that
would make it more destructive."
The newspaper says it discovered the
virus on May 6 when a message popped up
on computer screens reading, "Welcome to
the Dungeon. ... Beware of this VIRUS.
Contact us for vaccination." The message
included a 1986 copyright date, two
names (Basit and Amjad), a company
(Brain Computer Services), an address
(730 Nizam Block Allama Iqbal in Lahore,
Pakistan) and three phone numbers.
Journal-Bulletin systems engineer
Peter Scheidler told Hiday, "I was sort
of shocked. I never thought I'd see a
virus. That's something you read about."
The virus infected only the PC
network; neither the paper's Atex
news-editing system nor its IBM
mainframe that supports other
departments were affected.
Hiday says the newspaper now is taking
steps to protect itself against another
virus attacks. It has tightened
dissemination of new software and
discussed installing "anti-virus"
devices. In addition, computer users
have been warned not to use "foreign"
software, and reporters have been
instructed to turn their computers off
and then on again before inserting
floppy disks.
--
EPA MACINTOSHES RECOVER FROM VIRUS
(May 18)
Although Apple Macintosh computers at
the Environmental Protection Agency were
recently plagued with a virus, all of
them seem to be on the mend now.
According to Government Computer News,
the computers were vaccinated with Virus
Rx, a free program issued by Apple
Computer Inc. to help users determine if
their hard disks have been infected.
Apple has begun an educational campaign
to promote "safe computing practices,"
Apple spokeswoman Cynthia Macon told
GCN.
Virus Rx is available on CompuServe in
the Apple Developers Forum (GO APPDEV)
in Data Library 8 under the name
VIRUS.SIT.
Macon said the best long-term response
to viruses "is to make users aware of
steps they can take to protect
themselves." These include backing up
data files, knowing the source of
programs and write-protecting master
disks. Other steps include booting from
a floppy disk and running all programs
from floppies rather than installing and
running them from the hard disk.
EPA is having some trouble with
reinfection. Since up to 20 people may
use one Macintosh, someone may
unknowingly insert a virus-plagued disk
into a clean machine. "It's like mono.
You just never get rid of it," said
Leslie Blumenthal, a Unisys Corp.
contract employee at EPA.
FBI agents in Washington, D.C. and San
Jose, Calif. are investigating the
spread of the Macintosh virus, notes
GCN.
-- Cathryn Conroy
CONGRESS CONSIDERS VIRUS PROBLEMS
(May 19)
Computer viruses have come to the
attention of Congress and legislators
would like to be assured that US defense
computers are safe from the replicating
little bugs. Although defense systems
can't be reached simply by telephoning
them, a virus could be contracted
through an infected disk containing
non-essential information.
The Defense Authorization Bill for FY
1989 is likely to direct the Defense
Department (DoD) to report on its
methods for handling potential viral
infections. Congress also wants to know
what DoD has done about safeguarding
military computers. They'd like some
assurance that the Defense Department
also has considered situations where a
primary contractor's computer could be
infected and subsequently endanger DoD's
own computers.
Anticipating future hearings,
Congressional staffers are soliciting
comments from knowledgeable users as to
what the report to Congress should
cover. Interested parties should forward
their comments to Mr. Herb Lin, House
Armed Services Committee, 2120 Rayburn
House Office Building, Washington DC
20515. Further information is available
by calling 202/225-7740. All comments
will be kept in confidence.
--
TEXAN STANDS TRIAL FOR ALLEGEDLY
INFECTING SYSTEM WITH "VIRUS"
(May 24)
In Fort Worth, Texas, a 39-year-old
programmer is to stand trial July 11 on
felony charges that he intentionally
infected an ex-employer's system with a
computer "virus." If convicted, he faces
up to 10 years in prison.
The man, Donald Gene Burleson,
apparently will be the first person ever
tried under the state's tougher computer
sabotage law, which took effect Sept. 1,
1985.
Dan Malone of the Dallas Morning News
broke the story this morning, reporting
on indictments that accuse Burleson of
executing programs "designed to
interfere with the normal use of the
computer" and of acts "that resulted in
records being deleted" from the systems
of USPA and IRA Co., a Fort Worth-based
national securities and brokerage.
The paper quoted police as saying the
electronic interference was a "massive
deletion" of more than 168,000 records
of sales commissions for employees of
the company, where Burleson once worked
as a computer security officer.
Burleson currently is free on a $3,000
bonding pending the trial.
Davis McCown, chief of the Tarrant
County district attorney's economic
crimes division, said of the alleged
virus, "You can see it, but you can't
see what it does -- just like a human
virus. It had the ability to multiply
and move around and was designed to
change its name so it wouldn't be
detected."
McCown also told Malone he wanted to
make sure "that this type of criminal
understands that we have the ability to
make these type of cases; that it's not
so sophisticated or complicated that
it's above the law."
Company officials first noticed a
problem on Sept. 21, 1985. Says the
Dallas newspaper, "Further investigation
revealed that an intruder had entered
the building at night and used a
'back-door password' to gain access to
the computer. ... Once inside, the
saboteur covered his tracks by erasing
computer logs that would have followed
his activity, police said. With his
access to the computer complete, the
intruder manually deleted the records."
Authorities say that only a few of the
200 workers in the USPA home office --
including Burleson -- had access and the
knowledge needed to sabotage the system.
Earlier USPA was awarded $12,000 by a
jury in a civil lawsuit filed against
Burleson.
--
FBI CALLED TO PROBE VIRUS CASE
(July 4)
The FBI has been called in by NASA
officials to investigate an alleged
computer virus that has destroyed data
on its personal computers and those of
several other government agencies.
The New York Times reported this
morning that the rogue program --
apparently the so- called "Scores" virus
that surfaced last April -- was designed
to sabotage data at Dallas' Electronic
Data Systems. The paper said the virus
did little damage to the Texas company
but did wreak havoc on thousands of PCs
nationwide.
The Times quoted NASA officials as
saying the FBI was called in because,
even though damage to government data
was limited, files were destroyed,
projects delayed and hundreds of hours
were spent tracking the culprit at
various government agencies, including
NASA, the Environmental Protection
Agency, the National Oceanic and
Atmospheric Administration and the US
Sentencing Commission.
NASA says it doesn't know how the
program, which damaged files from
January to May, spread from the Texas
EDS firm to PC networks nor whether the
virus was deliberately or accidentally
introduced at government agencies.
Meanwhile, the Times quoted experts as
saying that at least 40 so-called
"viruses" now have been identified in
the United States, defining a virus as a
program that conceals its presence on a
disk and replicates itself repeatedly
onto other disks and into the memory of
computers.
As reported here in April, the Scores
virus was blamed for infecting hundreds
of Apple Macintosh computers at NASA and
other facilities in Washington, Maryland
and Florida.
The Times says the spread of the virus
was exacerbated when private contractors
in Washington and North Carolina
inadvertently sold dozens of computers
carrying the virus to government
agencies. The virus spread for as long
as two months and infected networks of
personal computers before it was
discovered.
--
NEW MEXICO BBS SUES OVER VIRUS
(Aug. 17)
The operator of a New Mexico computer
bulletin board system has filed what may
be the first federal suit against a
person accused of uploading a computer
"virus."
William A. Christison, sysop of the
Santa Fe Message BBS, alleges in his
suit that a man named Michael Dagg
visited his board in the early hours of
last May 4 and "knowingly and
intentionally" uploaded a
digitally-infected file called
"BBSMON.COM."
The suit says Christison "checked the
program before releasing it to the
public and discovered that it was a
'Trojan Horse'; i.e., it appeared to be
a normal program but it contained hidden
commands which caused the program to
vandalize Plaintiff's system, erasing
the operating system and damaging the
file allocation tables, making the files
and programs stored in the computer
unusable."
Christison says that the defendant
re-visited the BBS nine times between
May 5 and May 12, sometimes logging in
under a pseudonym. "Several of these
times," the suit says, "he sent in
messages and on May 7, 1988, he
knowingly and intentionally sent in by
modem a program of the same name,
BBSMON.COM, as the original 'Trojan
Horse' computer program."
Through attorney Ann Yalman,
Christison asks the court to grant
$1,000 for each Trojan Horse violation
and to enjoin the defendant "from
sending 'Trojan Horses' or 'viruses' or
other vandalizing programs to Plaintiff
or anyone else."
A copy of the Santa Fe Message's suit
has been uploaded to CompuServe's IBM
Communications Forum. To see it, visit
the forum by entering GO IBMCOM at any
prompt. The ASCII file is VIRUS.CHG in
forum library 0.
Also, you can reach Christison BBS
directly with a modem call to
505/988-5867.
--
VIRUS FIGHTERS FIGHT EACH OTHER
(Aug. 31)
Two groups that mean to protect us in
the fight against so-called computer
"viruses" seem to be spending rather a
lot of their energies fighting each
other.
"I personally know most of the people
in this industry and I have never seen
this kind of animosity," Brian Camenker
of the Boston Computer Society tells
business writer Peter Coy.
The bickering grew louder on Monday in
page-one article in MIS Week trade
newspaper in which each side accused the
other of using sloppy techniques and
manipulating the testing process for its
own purposes.
Says Coy, "The intensity of the debate
has left some software developers
disgusted with the whole business."
The argument, which centers around
fair evaluation anti-virus "vaccine"
software, pits the 2- month-old Computer
Virus Industry Association led by John
McAfee, president of InterPath Corp. of
Santa Clara, Calif., against what Coy
terms "a loose collection of other
computer experts" led by consultant Jon
R. David of Tappan and editor Harold
Highland of Computers & Security
magazine.
"Customers and producers agree on the
need for an independent panel of experts
to review the (vaccine) software," Coy
comments. "The question splitting the
industry is who should be in charge."
CVIA is pulling together an
independent university testing panel
made up of representatives of Pace
University, Adelphi University and Sarah
Lawrence College and headed by John
Cordani, who teaches computer science at
Adelphi and Pace. However, David and
Highland say these people don't have the
necessary credentials and that McAfee's
InterPath products will have an
advantage in the testing because McAfee
invented a virus simulator that will be
used as a testing mechanism.
Meanwhile, Highland says he's getting
funding from his publisher, Elsevier
Advanced Technology Publications, for
his own review of anti-viral software,
but adds he isn't interested in
operating an ongoing review board.
--
VIRUS TRIAL BEGINS IN FORT WORTH
(Sept. 7)
A 40-year-old Texas programmer has
gone on trial this week, accused of
using a "virus" to sabotage thousands of
computer records at his former
employer's business.
If convicted in what is believed to be
the nation's first virus-related
criminal trial, Donald G. Burleson faces
up to 10 years in jail and a $5,000
fine.
Reporting from the state criminal
district court in Fort Worth, Texas, The
Associated Press notes Burleson was
indicted on charges of burglary and
harmful access to a computer in
connection with damage to data at USPA &
IRA Co. securities firm two days after
he was fired. The trial is expected to
last about two weeks.
USPA, which earlier was awarded
$12,000 in a civil suit against
Burleson, alleges the defendant went
into its offices one night and planted a
virus in its computer records that, says
AP, "would wipe out sales commissions
records every month. The virus was
discovered two days later, after it had
eliminated 168,000 records."
--
VIRUS ATTACKS JAPANESE NETWORK
(Sept. 14)
Japan's largest computer network --
NEC Corp.'s 45,000- subscriber PC-VAN
service -- has been infected by a
computer "virus."
McGraw-Hill News quotes a NEC
spokesman as saying that over the past
two weeks 13 different PC- VAN users
have reported virus incidents.
Subscribers' user IDs and passwords
"were apparently stolen by the virus
planter when the members accessed one of
the service's electronic bulletin
boards," MH says. "The intruder then
used the information to access other
services of the system and charged the
access fees to the password holders."
NEC, which says it has not yet been
able to identify the virus planter, gave
the 13 subscribers new user IDs and
passwords to check the proliferation of
the virus.
--
JURY CONVICTS PROGRAMMER OF VIRUS
(Sept. 20)
After deliberating six hours, a Fort
Worth, Texas, jury late yesterday
convicted a 40-year-old programmer of
planting a "virus" to wipe out 168,000
computer records in revenge for being
fired by an insurance firm.
Donald Gene Burleson is believed to be
the first person convicted under Texas's
3-year-old computer sabotage law. The
trial, which started Sept. 6, also was
among the first of its kind in the
nation, Judge John Bradshaw told the
Tarrant County jury after receiving its
verdict.
The Associated Press says jurors now
are to return to State District Court to
determine the sentence.
Burleson, an Irving, Texas, resident,
was found guilty of harmful access to a
computer, a third-degree felony with a
maximum penalty of 10 years in prison
and a $5,000 fine. However, as a
first-time offender, Burleson also is
eligible for probation.
As reported here earlier, Burleson was
alleged to have planted a rogue program
in computers used to store records at
USPA and IRA Co., a Fort Worth insurance
and brokerage firm.
During the trial, prosecutor Davis
McCown told the jury the virus was
programmed like a time bomb and was
activated Sept. 21, 1985, two days after
Burleson was fired as a programmer at
the firm because of alleged personality
conflicts with other employees.
AP quoted McCown as saying, "There
were a series of programs built into the
system as early as Labor Day (1985).
Once he got fired, those programs went
off."
McCown added the virus was discovered
two days later after it had eliminated
168,000 payroll records, holding up
paychecks to employees for more than a
month.
Expert witnesses also testified in the
three-week trial that the virus was
entered in the system via Burleson's
terminal by someone who used Burleson's
personal access code.
However, the defense said Burleson was
set up by someone else using his
terminal and code. Says AP, "Burleson's
attorneys attempted to prove he was
vacationing in another part of the state
with his son on the dates in early
September when the rogue programs were
entered into the system. But prosecutors
presented records showing that Burleson
was at work and his son was attending
school on those dates."
The Fort Worth Star-Telegram reports
that also during the trial, Duane
Benson, a USPA & IRA senior programmer
analyst, testified the automated virus
series, which was designed to repeat
itself periodically until it destroyed
all the records in the system, never was
automatically activated. Instead, Benson
said, someone manually set one of the
programs in motion Sept. 21, 1985,
deleting the records, then covering his
or her tracks by deleting the program.
Prosecutor McCown says data damage in
the system could have amounted to
hundreds of thousands of dollars had the
virus continued undetected.
As reported here earlier, Burleson
also has lost a civil case to USPA in
connection with the incident. That jury
ordered him to pay his former employers
$12,000.
Following the yesterday's verdict,
McCown told Star-Telegram reporter
Martha Deller, "This proves (virus
damage) is not an unprosecutable
offense. It may be hard to put a case
together, but it's not impossible."
--
UNIVERSITY PROFESSORS ATTACK COMPUTER
VIRUSES
(Sept. 30)
Because they have not been given
access to the National Security Agency's
anti-virus research, several university-
based computer experts are planning to
begin their own testing and validating
of software defenses against computer
viruses, reports Government Computer
News.
Led by John Cordani, assistant
professor of information systems at
Adelphi University, the results will be
made public, unlike those being
researched by NSA. The work being done
by the Department of Defense is too
classified for use by the general
computer community.
GCN notes that computer viruses are
hard-to-detect programs that secretly
replicate themselves in computer
systems, sometimes causing major damage.
Cordani and five other academics will
establish secure laboratories to study
viruses in three New York colleges:
Adelphi University, Pace University and
Sarah Lawrence College. The lab will
test anti-virus software developed by
companies that are members of the
Computer Virus Industry Association, a
consortium of anti-virus defense
developers.
The group will then publish what it is
calling "consumer reports" in the media
and on electronic bulletin board
systems. Once sufficient research is
completed, more general grading systems
will be applied, said Cordani. In
addition, the lab will use viruses sent
to them by the CVIA to develop
classification algorithms to aid in
describing a virus' actions and effects.
-- Cathryn Conroy
SECOND VIRUS FOUND AT ALDUS CORP.
(Oct. 21)
For the second time this year, a
computer "virus" has been found in a
commercial program produced by Seattle's
Aldus Corp. The infection was found in
the latest version of the FreeHand
drawing software, the same software that
was invaded by a different virus last
March.
An Aldus official told The Associated
Press the company was able to prevent
the virus's spread to programs for sale
to the public, but that an entire
computer network within Aldus'
headquarters has been infected.
The virus was found in a version of
the Apple Macintosh software that was
sent to specific users to be tested
before going to market. One of the
testers discovered the virus, dubbed
"nVir," and two days later, Aldus
realized the virus was in its own
in-house network.
Said Aldus spokeswoman Jane Dauber,
"We don't know where it came from. That
is the nature of the virus. You can't
really track it."
AP says Aldus officials said the new
virus has remained dormant so far, a
tiny program that merely attaches itself
to other programs.
"We don't know why," Dauber said. "We
don't know what invokes this virus. With
some of them, you have to launch the
program a certain number of times," for
the virus to activate.
The company told the wire service
that, while it does not know where the
virus originated, reports are that it
apparently has infected at least one
unidentified East Coast university's
computers.
Another Aldus spokeswoman, Laury
Bryant, added, "You just can't always
stop these things from coming in the
door. But what we have done is to set up
systems which eliminate them before they
are actually in full version,
shrink-wrap software and stop them from
going out the door."
Last March, in what was apparently the
first instance of an infection in
commercial software, a virus called the
"March 2 peace message" was found in
some FreeHand programs. The invasion
caused Aldus to recall or rework
thousands of packages of the new
software.
--
MAN SENTENCED IN NATION'S FIRST
VIRUS-RELATED CRIMINAL COURT CASE
(Oct. 23)
Donald Gene Burleson, the first person
ever convicted of using a computer
"virus" to sabotage data, has been
sentenced to seven years' probation and
ordered to pay back nearly $12,000 to
his former employer.
The 40-year-old Irving, Texas, man's
attorney told United Press International
he will appeal the sentenced handed down
late Friday by District Judge John
Bradshaw in Fort Worth, Texas.
As reported earlier, Burleson was
convicted Sept. 19 of the third-degree
felony, the first conviction under the
new Texas state computer sabotage law.
He was accused of infecting the
computers of USPA & IRA, a Fort Worth
insurance and securities firm a few days
after his firing Sept. 18, 1985.
Burleson could have received two to 10
years in prison and a fine up to $5,000
under the 1985 law. As a first-time
offender, however, he was eligible for
probation.
As reported during last month's trial,
a few days after Burleson's firing in
1985, company officials discovered that
168,000 records of sales commissions had
been deleted from their system.
Burleson testified that he was more
than 300 miles away from Fort Worth on
Sept. 2 and Sept. 3 when the virus was
created. However, UPI notes that
evidence showed that his son was not
traveling with him as he said but in
school, and that a credit card receipt
Burleson said proved he was in Rusk on
Sept. 3 turned out to be from 1987.
Associated Press writer Mark Godich
quoted Burleson's lawyer, Jack Beech, as
saying he had asked for five years'
probation for his client, and
restitution not to exceed $2,500.
Godich also observed that the
Burleson's conviction and sentencing
"could pave the way for similar
prosecutions of people who use viruses."
Chairman John McAfee of the Computer
Virus Industry Association in Santa,
Clara, Calif., told AP the Texas case
was precedent-setting and that it's rare
that people who spread computer viruses
are caught. He added his organization
had documented about 250,000 cases of
sabotage by computer virus.
--
BRAIN VIRUS HITS HONG KONG
(Oct. 30)
According to Computing Australia, a
major financial operation in Hong Kong
was infected with a version of the
"Brain" virus. This is the first
reported infection of a commercial
business in the East.
Business International, a major
financial consulting firm in Hong Kong,
is believed not to have suffered any
major damage. A company spokeswoman
played down the appearance of the virus
and said that no data had been lost.
The "brain" virus has been reported as
a highly sophisticated piece of
programming that was created by two men
in Lahore, Pakistan who run the Brain
Computer Services company. It's last
reported appearance in the US was during
May when it popped up at the Providence,
R.I., Journal- Bulletin newspaper.
--
60 COMPUTER FIRMS SET VIRUS GOALS
(Nov. 2)
Some 60 computer companies have
organized a group to set guidelines that
they say should increase reliability of
computers and protect the systems from
so-called "viruses."
The Reuter Financial News Service says
that among firms taking part in the
movement are Microsoft Corp., 3Com Inc.,
Banyan Systems and Novell Inc. At the
same time, though, declining to join the
efforts are such big guys as IBM and
Digital Equipment Corp.
Reuter reports, "The companies said
the measures would promote competition
while allowing them to cooperate in
making computers more reliable and less
vulnerable to viruses."
However, the firms apparently have
shied away from specific proposals,
instead issuing broad recommendations
that leave it up to each company to
develop the technology needed to prevent
the spread of viruses, Reuter said.
--
Last page !m
Online Today OLT-2039
COMPUTER VIRUS EPIDEMIC
1 Backgrounder, Part I
2 Backgrounder, Part II
3 Backgrounder, Part III
4 Backgrounder, Part IV
5 Backgrounder, Part V
6 Backgrounder, Part VI
Enter choice !3
Online Today OLT-1005
ONLINE TODAY'S BACKGROUNDER: COMPUTER
"VIRUS," PART THREE
(Editor's note: Computer "viruses" --
self-propagating programs that spread
from one machine to another and from one
disk to another -- have been very much
in the news. This file contains
virus-related stories carried by Online
Today's electronic edition beginning in
November 1988.)
Press for more !s
NEW LAN LABORATORY GROUP OFFERS
SUGGESTIONS FOR VIRUS PREVENTION
(Nov. 7)
Just a week or so before thousands of
networked computers across the country
were struck by a rapid virus, some 60
computer companies endorsed a set of
virus-prevention guidelines drafted by
the National LAN Laboratory.
The Reston, Va., group, devoted to
local area networks, hopes its tips can
prevent and control future viruses and
worm program intrusions.
Speaking with business writer Peter
Coy of The Associated Press, LAN Lab
spokesman Delbert Jones said, "The key
issue is that with proper precautions,
one can continue to live a normal
existence. ... "It's very much like the
AIDS virus: The best solution is
precaution."
Here, according to AP, are the
suggestions by the LAN Lab group:
1. All software should be purchased
from known, reputable sources.
2. Purchased software should be in its
original shrink wrap or sealed disk
containers when received.
3. Back-up copies should be made as
soon as the software package is opened.
Back-ups should be stored off-site.
4. All software should be reviewed
carefully by a system manager before it
is installed on a network.
6. New software should be quarantined
on an isolated computer. This testing
will greatly reduce the risk of system
virus contamination.
7. A back-up of all system software
and data should be made at least once a
month, with the back-up copy stored for
at least one year before re-use. This
will allow restoration of a system that
has been contaminated by a
"time-released" virus. A plan that
includes "grandfathered" rotation of
back-up copies will reduce risk even
further.
8. System administrators should
restrict access to system programs and
data on a "need-to-use" basis. This
isolates problems, protects critical
applications, and aids problem
diagnosis.
9. All programs on a system should be
checked regularly for program length
changes. Any program-length deviations
could be evidence of tampering, or virus
infiltration.
10. Many shared or free programs are
invaluable. However, these are the prime
entry point for viruses. Skeptical
review of such programs is prudent.
Also, extended quarantine is essential
before these programs are introduced to
a computer system.
11. Any software that exhibits
symptoms of possible virus contamination
should be removed immediately. System
managers should develop plans for quick
removal of all copies of a suspect
program, and immediate backup of all
related data. These plans should be made
known to all users, and tested and
reviewed periodically.
--
"BRAIN VIRUS" APPEARS IN HOUSTON
(Nov. 9)
A version of the so-called "Brain
virus," a rogue program believed to have
originated in Pakistan, now has cropped
up in computers used by University of
Houston business students. Texas
officials say that the virus, while a
nuisance, has posed no real problem.
University research director Michael
Walters told The Associated Press, "It
probably hasn't cost us much, except a
few days of people-time to clean up
these disks, but it probably cost the
students a good bit of frustration."
Some students report they have lost
data, but Walters told the wire service
he knows of no one who has lost an
entire term paper or other large
quantity of work. Nonetheless, reports
still were coming in from students late
yesterday.
This version of the Brain virus, which
last spring was traced to a computer
store in Lahore, Pakistan, announced
itself at the university early last week
on the screen of one of the 150 PCs the
business department has for students and
faculty. Walters said the virus hasn't
spread to the school's larger computers.
AP quotes Walters as saying the virus
flashed this message (with these
misspellings) to students who tried to
use infected programs:
"Welcome to the dungeon. Copyright
1968 Brain & Amjads, PVT, LTD. Virus
shoe record V9.0. Dedicated to the
dynamic memory of millions of virus who
are no longer with us today -- Thank
Goodness. BEWARE OF THE VIRUS. This
program is catching. Program follows
after these messeges."
The original "Brain" virus -- which
appeared in May at colleges and
businesses along the East Coast and in
the computers of The Providence, R.I.,
Journal-Bulletin newspaper -- flashed
the "Welcome to the Dungeon" message,
but added "Contact us for vaccination."
It also gave names, an address and a
phone number of two brothers who run a
Lahore, Pakistan, computer store.
Walters said the Houston version of
the virus says nothing about any
vaccine, and the "V9.0" in its message
suggests it may be a modified version.
Before this, the most recent sighting
of the "Brain" virus was at Business
International, a Hong Kong financial
operation. It was thought to be the
first reported digital infection of a
commercial business in the East. The
firm is believed not to have suffered
any major damage.
--
UNIX EXPERT SAYS VIRUS "PANIC"
UNNECESSARY, BLAMES BAD PLANNING
(Nov. 10)
An expert on the Unix operating system
says that much of last week's "panic"
over the virus that brought down some
6,000 networked computers was caused by
poor management technique.
In a statement from his Rescue,
Calif., offices, newsletter editor Bruce
Hunter said, "Most of the damage was
done by the organizations themselves,
not the virus."
Hunter, who edits Root, a bimonthly
Unix administration and management
journal published by InfoPro Systems,
observed that more than 50,000 users
were reportedly cut off at a single site
due to last week's virus, and that more
than a million people are believed to
have been directly affected.
However, Hunter said, "By dropping
network connections, administrators were
ensuring that the virus was winning.
Good communications and information
sharing between administrators is what
helped people on the network find and
implement a solution to the virus
quickly."
Hunter, who also is an author and
mainframe Unix system manager, said that
one job of an administrator is to keep
all system resources available to users,
and another is to "go around searching
for possible trouble."
He said the most important lesson
learned from last week's virus was that
a definite plan is imperative to avoid
inappropriate reactions.
Hunter made these suggestions to
managers:
-:- Develop a set of scenarios and
responses for future virus attacks as
well as physical disasters.
-:- Keep a printed list of system
administrators at all company sites.
-:- Establish a central point of
information.
-:- Coordinate an emergency response
task force of key personnel.
-:- Keep current off-site backups of
all data.
-:- Perform regular security audits.
--
MICHIGAN WEIGHS ANTI-VIRUS LAW
(Nov. 15)
Michigan lawmakers soon will consider
a proposed state law that would impose
felony penalties against anyone
convicted of creating or spreading
computer "viruses."
Sponsoring the bill, Republican Sen.
Vern Ehlers told United Press
International, "Because this is a new
type of crime, it is essential we
address it directly with a law that
deals with the unique nature of
computers."
Citing this month's virus attack on
military and research computers linked
by ARPANET and other networks, Ehlers
added, "The country recently saw how
quickly a virus can spread through
network users. The Defense Department
and its contractors were extremely
fortunate that the virus was relatively
harmless."
The senator said his bill, still being
drafted, is expected to include
provisions making it a felony for anyone
to deliberately introduce a virus into a
computer system.
UPI notes Ehlers is a physicist with a
Ph.D who has 30 years' experience with
computers.
--
VIRUS STRIKES CALIF. MACINTOSHES
(Nov. 15)
Students at Southern California
universities were being warned today of
a rapidly spreading West German virus
that reportedly is disrupting functions
of Apple Macintosh computers.
"In general, this thing is spreading
like mad," Chris Sales, computer center
consultant at California State
University at Northridge, told The
Associated Press. "It originated in West
Germany, found its way to UCLA and in a
short time infected us here."
AP quotes school officials as saying
that at least a dozen Macs at the
suburban San Fernando Valley campus have
been infected since the virus first
cropped up last week. Cal State says the
virus apparently does not erase data,
but that it does stall the computers and
removal requires hours of reprogramming.
The wire service said students' disks
are "being tested for the virus" before
they can rent a Mac at the university
bookstore.
--
COMPUTER SECURITY EXPERT OFFERS TIPS
(Nov. 15)
The need to protect against computer
viruses has heralded the end of the
user-friendly computer era, says one
security expert.
According to Government Computer News,
Sanford Sherizen, president of Data
Security Systems Inc. of Natick, Mass.
said the objective now is to make
software bullet-proof, not accessible.
He said that since the advent of
computers in offices, managers have been
faced with the conflicting needs of
protecting the data versus producing it.
Data must be accessible to those who
need it and yet at the same time secure
from those who can alter, delete,
destroy, disclose or steal it or steal
computer hardware.
Sherizen told GCN reporter Richard A.
Danca that non- technical managers can
contribute to computer security as
advocates and facilitators. Users must
learn that security is a part of their
jobs.
He predicted that security managers
will soon use biometric security
measures such as comparing retinal blood
vessels or fingerprints. Needless to
say, such techniques raise complicated
issues of civil liberties and privacy.
Sherizen said that all information
deserves protection.
--Cathryn Conroy
VIRUS THREAT SAID EXAGGERATED
(Nov. 16)
Because of the latest reports of
attacks by computer "viruses," some in
the industry are ready to blame such
rogue programs for anything that goes
wrong.
However, expert Charles Wood told a
15th annual computer security conference
in Miami Beach, Fla., this week, "Out of
over 1,400 complaints to the Software
Service Bureau this year, in only 2
percent of the cases was an electronic
virus the cause of the problem. People
are jumping to the conclusion that
whenever a system slows down, it's a
virus that's responsible."
The Associated Press reports that Wood
and other panelists cautioned that
computer-dependent companies should
focus more on the day-to-day breakdowns
caused by human error than on viruses.
President Steve Irwin of LeeMah
Datacom Security Corp. told the
conference that this month's virus
assault on networked computers on the
ARPANET system "could be a cheap
lesson."
Said Irwin, "We were lucky because it
was not a real malicious attempt ... If
(the virus' author) had ordered the
programs to be erased, the loss could
have gone into billions, lots of
zeroes."
AP quoted Wood as adding, "The virus
is the hot topic right now, but actually
the real important subject is disaster
recovery planning. But that's not as
glamorous as the viruses."
--
SPA FORMS GROUP TO KNOCK DOWN RUMORS
ABOUT COMPUTER VIRUSES
(Nov. 17)
Upset over wild rumors about the
destructiveness of computer viruses, the
Software Publisher Association has
formed a special interest group to
address computer security.
In a statement released today at the
Comdex trade show in Las Vegas, SPA says
its new Software Security SIG will help
distribute information and serve as
liaison for software publishers,
industry analysts and consultants.
McGraw-Hill News quotes SPA member
Ross Greenberg, president of Software
Concepts Design, as saying, "Recent
unsubstantiated statements regarding the
actual damage caused by viruses...has
caused more of a public fervor than
served as a public service."
At the SIG's organizational meeting,
several companies discussed setting
standards on how to educate the public
regarding viruses and various anti-viral
products now being advertised.
--
FEDERAL COMPUTERS AT RISK
(Nov. 22)
Many federal computer systems are
vulnerable to viruses and other security
problems because of inadequate controls
on the design and operation, reports The
Washington Post of a report issued by
the General Accounting Office.
GAO warned that the planned computer
expansion (some $17 billion will be
spent by Uncle Sam in 1989) could only
increase security risks since the
computer growth will be so rapid. It
advised that particular attention be
paid to security concerns, especially in
the early phases of system development.
"Recent instances of security breaches
in automated information systems have
resulted in the loss of assets,
compromise of program objectives and
leaks of sensitive information," said
the report, which is part of series
prepared by GAO for the incoming Bush
administration on national problems it
views as critical.
The Post notes that some computer
experts said that the government's
security woes are no worse than those
that affect corporate or university
systems.
GAO cited specific cases where
government computer security had been
breached:
-:-A clerk used a computer processing
system to embezzle more than $800,000;
-:-employees prepared fraudulent
documents for a tax processing system
and had the refunds sent to themselves
and others;
-:-about 30 employees obtained illicit
access to computer files and made
unauthorized disclosures of highly
sensitive information;
-:-several federal agencies have been
the victims of computer viruses that
have destroyed software and data.
-- Cathryn Conroy
VIRUS THREAT ANALYZED BY EXPERTS
(Nov. 23)
The Computer Virus Industry
Association reports there have been 300
recorded "events" of computer virus
attacks on some 48,000 computers during
the past eight months.
John McAfee, chairman of the
association, told The Washington Post
that 97 percent of those incidents
involved personal computers. He says he
considers them to be more vulnerable
than larger systems because people
frequently stick their disks into other
people's computers to share data or
software or just to use another's
printer.
Sharing data is not considered a risky
proposition; sharing software is another
matter, since viruses attach themselves
to programs. And once infected, that
program can spread the virus to other
programs and computers.
McAfee told The Post his group has
counted some 30 strains of viruses that
affect PCs, some of which are quite
innocuous while others have potentially
disastrous consequences. Some viruses
act immediately; others sit like time
bombs waiting to go off at a set time.
But the experts warn users to not
become hysterical over the threat of
viruses. Peter Norton, author of the
popular Norton Utility programs, likens
viruses to "urban myths, like alligators
in the New York sewers."
The CVIA says that just four percent
of the cases reported to it have
actually be verified as real viruses.
Most are software bugs, system errors or
similar problems, notes The Post.
-- Cathryn Conroy
FBI PROBES INTERNET INTRUSION
(Nov. 24)
Although the so-called virus "attack"
that affected a number of national
computer networks has been characterized
as unintentional, the Federal Bureau of
Investigation is apparently gathering
information to support criminal
sanctions against the virus' developer.
The FBI's authority to pursue such an
investigation stems from the Computer
Fraud and Abuse Act of 1986 --
legislation that criminalizes
unauthorized access to a computer system
being operated for the use of the
federal government.
The network intrusion on November 3,
affected a number of computers at
federal installations including those at
the Lawrence Livermore National
Laboratory in San Francisco and the NASA
Ames Research Center in Mountain View,
Calif.
Reportedly, the FBI Case Agent has
asked the Defense Data Network (DDN)
Project Management Office "to collect
the names of organizations and Points of
Contact (names and phone numbers) that
were hit by the Virus." Those who wish
to submit information will be contacted
by their local FBI Field Office.
Additional information is available
from the DDN security office at
703/285-5206.
--
"CORE WARS" CREATOR URGES VIRUS CONTROL
CENTERS TO BE SET UP
(Nov. 25)
A Canadian professor and computer
columnist with Scientific American says
that governments ought to set up centers
for "computer virus control" patterned
after the Centers for Disease Control.
Alexander Dewdney, professor of
computer science at the University of
Western Ontario, told reporter Stephen
Strauss of The Toronto Globe and Mail
that the centers could isolate, identify
and then develop antidotes for
self-replicating viruses.
Dewdney became famous a few years ago
by writing in Scientific American about
how the principle of computer viruses
could be turned into a game he called
"Core Wars."
Strauss writes, "Under Dewdney's plan,
an organization knowing or suspecting
its system of being infected by a virus
would send a copy of all or part of its
main operating program to the center.
There, the contaminated program would be
routed to a special 'clean room' portion
of the center's computer memory where it
would not be able to attack anything
else. Virus experts would then examine
the program to determine what kind of
bug was let loose... Once the viral type
was determined, countermeasures could be
put into effect."
Dewdney suggests this last step could
be either a program counteracting the
original virus or one which made the
invading virus destroy all copies of
itself.
"People," he said, "could expect that
within 24 hours some kind of remedy
would be in place."
--
GOVERNMENT RESPONDS TO RECENT VIRUS
ATTACKS
(Nov. 25)
Federal computer security officials
are scrambling to prevent further
attacks by computer viruses on
government systems.
According to Government Computer News,
top officials from both the
military-based National Security Agency
and the civilian-based National
Institute of Standards and Technology
are working together to develop
solutions to threat.
One idea that is being considered,
according to Stuart Katzke, NIST
computer security chief, is the
formation of a federal center for
anti-virus effort that would be operated
jointly by NIST and NSA.
He told GCN that the center would
include a clearinghouse that would
collect and disseminate information
about threats, such as flaws in
operating systems as well as solutions.
In addition, it would help organize
responses to emergencies by quickly
warning users of new threats and
defenses against them. Katzke explained
that those who have solutions to a
threat could transmit their answers
through the center to threatened users.
A database of experts would be created
to speed response to immediate threats.
The center would also develop means of
correcting flaws in software, such as
trapdoors in operating systems. Vendors
would even be asked to develop and field
solutions, notes GCN.
The only stumbling block is funding
and personnel for the center.
Katzke did emphasize that viruses are
actually less of a threat than poor
security that allows abusers to access
systems. Excellent technical anti-virus
defenses are of no use at all if
management does not maintain proper
control of the computer system, he told
GCN.
Congress is expected to respond to the
recent outbreak of virus attacks. One
bill that died in the 100th Congress,
The Computer Virus Eradication Act of
1988, will be reintroduced by Rep. Wally
Herger (R-Calif.).
-- Cathryn Conroy
LINK BETWEEN ARPANET AND MILITARY SYSTEM
CUT BECAUSE OF INTRUDER
(Dec. 1)
Apparently because of an unknown
computer intruder, the Pentagon this
week cut links between its unclassified
military network called Milnet and
Arpanet, the national academic and
corporate network.
The link reportedly was cut at 10 p.m.
Monday and was expected to be restored
sometime today.
According to The New York Times this
morning, Pentagon officials are saying
officially that the move was due to
technical difficulties. However, The
Times quoted several unidentified
security experts as saying the
connection was broken after a recent
intrusion into several computers
operated by defense contractors and the
military.
The Times said the Defense Department
apparently acted after a computer at the
Mitre Corp., a Bedford, Mass., think
tank, was illegally entered several
times over the past month. Officials at
several US and Canadian universities
said the intruder used their computers
to reach Mitre's.
A Mitre spokeswoman confirmed that one
of the firm's computers had indeed been
entered, but said the systems involved
had not handled any classified or
sensitive information and that the
problem was fixed within hours of
detection.
Seven computer gateways link Milnet to
Arpanet.
Arpanet is the same network that was
stymied for 36 hours a month ago by a
so-called virus allegedly created by
Cornell University graduate student
Robert Morris Jr., 23, of Arnold, Md.
The Times quoted its experts as
speculating that the Pentagon may have
kept the connection between Milnet and
Arpanet severed while it tried to rid
the system of a security flaw.
Speaking of Morris, two Harvard
University computer experts, graduate
student Paul Graham and programmer
Andrew H. Suddeth, appeared yesterday
before a federal grand jury in Syracuse,
N.Y., which is investigating the virus
incident.
Suddeth said earlier that Morris
called him in a panic for help in
getting out a message to other computer
operators after he reportedly realized
what the virus was doing.
The Associated Press says a third
person subpoenaed -- Mark Friedell, an
associate professor of computer science
-- was excused from testifying because
he told prosecutors he knew nothing
about the allegations of Morris'
involvement with the virus.
Morris has not been subpoenaed to
appear before the grand jury, lawyer
Thomas Guidoboni of Washington, D.C.,
told the Syracuse Herald-Journal.
Says AP, "Guidoboni so far has advised
Morris not to talk with anyone about the
virus, including FBI agents. But the
lawyer said an agreement may soon be
reached in which an interview with
agents would be arranged."
--
CONGRESS TO PROBE VIRUS
(Dec. 4)
The Internet "WORM", previously
characterized as a virus, has caught the
attention of federal legislators. Two
congressional committees plan to
schedule hearings on the purported
actions of a 23-year-old Cornell
University student said to be
responsible for inserting the WORM
program into a national computer
communications network.
The House Science, Space and
Technology Committee and the Crime
Subcommittee of the House Judiciary
Committee are planning hearings on the
Internet WORM when the new 101st
Congress meets. Representative Robert
Roe (D-N.J.) and Rep. William Hughes
(D-N.J.), the respective chairmen of the
two legislative groups, are apparently
concerned that even more serious
pitfalls await computers used in the
federal government. Rep. Hughes is
well-known in computer security circles
and has been instrumental in introducing
computer-related legislation.
Both chairman are said to be concerned
about the vulnerability of federal
computers to intrusions either planned
or accidental. Committee hearing dates
will probably be scheduled soon after
the new congress convenes on January 9.
--
PENTAGON FORMS VIRUS "SWAT TEAM"
(Dec. 7)
The Pentagon is bringing together some
100 unidentified computer experts from
across the country to act as a kind of
"SWAT team" to respond to
self-replicating "virus" programs that
might threaten US defense computers.
Called CERT (the Computer Emergency
Response Team), the group includes
technical experts, site managers,
government officers, industry contacts,
executives and representatives from
investigative agencies.
United Press International quotes a
Pentagon statement as saying the
experts' knowledge will be called upon
when needed; otherwise, they will go
about their usual jobs.
CERT is to be coordinated from the
Software Engineering Institute at
Pittsburgh's Carnegie Mellon University,
where a six-member staff already is in
place, UPI says.
A Pentagon spokeswoman characterized
the group as "sort of a SWAT team" that
will respond to security threats such as
the virus that thwarted Arpanet
computers for some 36 hours on Nov. 2
and 3.
The government says CERT will assist
researchers in responding to emergencies
and will be able to rapidly establish
communications with experts working to
solve the problems, with affected
computer users and with government
authorities.
--
NIST AND NSA JOIN IN VIRUS DEFENSE PLAN
(Dec. 12)
The National Security Agency and the
National Institute of Standards and
Technology have developed 11 possible
courses of action in a plan to fight the
recurrence of computer viruses on
federal computer systems, reports
Government Computer News.
Although many details of the plans are
incomplete, sources told GCN that some
of the ideas include establishment of an
anti-virus coordination center for the
federal government where problems would
be reported and jointly supported by NSA
and NIST. The center might actually
evolve into a national command center
that would also support commercial
networks. GCN notes that staff experts
would carry beepers so they could be
summoned around the clock for immediate
response to a virus attack.
Other plans called for the development
of standard virus analysis tools to aid
in the disassembly and study of viruses
as well as the establishment of a
response team from the government,
industry and academia with the
specialized skills to analyze viruses
and develop defenses.
GCN notes that the group also
recommended that a network of experts be
maintained to ensure access to their
specialized skills in a crisis. The
establishment of an emergency broadcast
network to disseminate attack warnings
and virus defenses was also suggested.
Anti-virus defenses could be broadcast
over telephone lines by phones using
recorded messages.
Other recommendations include better
training for operators, improved back-up
procedures to prevent viruses from being
copied to secure backup disks and
greater participation of law enforcement
agencies in emergencies.
All the recommendations could be
implemented under the Computer Security
Act, which gives NIST authority to
oversee security for civilian computer
systems.
Before the plan can be implemented
formally, however, NIST and NSA
officials must approve it, money must be
allocated and personnel must be hired.
--Cathryn Conroy
SOVIETS FIGHT COMPUTER VIRUSES
(Dec. 19)
The Soviet Union says it has contended
with its first computer virus, one that
may have stemmed from a computer studies
"summer camp" there attended earlier
this year by Soviet and foreign
children.
Computer specialist Sergei Abramov of
the USSR Academy of Sciences told Radio
Moscow yesterday that the virus was
found last August at the academy's
Institute of Program Systems. He said
the virus invaded systems in at least
five government-run institutions, but
that scientists now have developed a way
to detect known viruses and to prevent
serious damage.
Charles Mitchell of United Press
International quoted Abramov as saying
the virus, dubbed DOS-62, infected 80
computers at the academy before it was
brought under control 18 hours later.
Abramov believes the virus was
introduced when Soviet students used the
institute's computers to copy infected
application programs and games for
personal computers.
Of the computer summer camp, Abramov
did not say from which countries the
foreign students came, but added, "Here
in the Soviet Union there was not a
single instance of a computer virus
attack until August of this year but now
at least two different viruses have been
encountered by five different
institutions."
He did not identify the five
institutions, nor did he say whether
viruses had infected any Soviet
computers connected to Western European
databases.
Mitchell also quoted Abramov as saying
that concern about viruses caused Soviet
scientists to place a high priority on
finding a defense for what he said were
the 15 known digital virus strains in
the world. He said he headed the team
that found such a shield.
"This protective system has no
counterpart in the world," Abramov said,
adding that details remain a state
secret but that the defense, known
formally as PC-Shield, has been tested
on IBM computers in the Soviet Union.
"The system provides early warning of
an attack by practically any virus known
in the world," he said. "It has a
two-tiered system of protection. The
first tier warns the user of an attack
enabling him to stop the computer. The
second tier assures the detection of any
virus still unknown as well as known and
prevents it from spreading."
UPI also quoted Radio Moscow as saying
that earlier this year an unidentified
programer at the Gorky Automobile Works
on the Volga river was charged with
deliberately using a virus to shut down
an assembly line in a dispute over work
conditions. The broadcast said the man
was convicted under Article 206, the
so-called Hooliganism law, which
provides for a jail term of up to six
years for "violating public order in a
coarse manner and expressing a clear
disrespect toward society."
--
ANOTHER COMMERCIAL PROGRAM SAID TO BE
INFECTED BY "NVIR" VIRUS
(Dec. 20)
For the third time this year, a
commercial software package has been
infected by a computer virus. This time
the rogue program -- apparently another
version of the so-called "nVir" virus --
has shown up on a compact disk.
Business writer Peter Coy of The
Associated Press says the virus was
found in seven programs on the second
edition of a CD-ROM called MegaROM,
which is sold for the Apple Macintosh
community by Quantum Leap Technology
Inc. of Coral Gables, Fla.
Coy says the infection, which was
detected with virus- screening programs,
apparently occurred when the disk was
being prepared for duplication at Nimbus
Records in Charlottesville, Va. The
virus, which does not appear to be
dangerous, was spotted after about 400
copies of the disk had been shipped, he
says.
John Sands, technical operations
manager of Nimbus' CD- ROM division,
told the wire service the virus came
from a piece of software residing on a
hard disk for Macintosh computers that
was manufactured by CMS Enhancements
Inc. of Tustin, Calif. Sands faulted CMS
for not alerting Nimbus and its other
disk drive customers about the virus
threat.
In response, CMS President Jim
Farooque told Coy that as of yesterday
afternoon he hadn't been able to verify
that the virus had indeed come from his
company. Conceding that some of his
employees previously had told people at
Nimbus that the virus had come on a CMS
floppy disk used to prepare the hard
disk for receiving data, Farooque said,
"It's possible that ... they are
communicating back and forth information
that may or may not be true."
He added the company voluntarily was
helping people get rid of the viruses
without admitting responsibility for
them.
Quantum Leap President Robert Burr
told Coy his firm was alerted to the
virus on Dec. 9 and began notifying
recipients of the infected MegaRom disks
last week. The infected disks are
imprinted with a green decorative
pattern, while the new disks that are
virus-free have a blue pattern.
Coy also noted, "Almost half of the
infected disks were shipped to members
of the computer press for review. The
disks are filled with programs, known as
shareware or freeware, that are
available for free from places such as
computer bulletin boards."
The nVir virus first appeared in
another commercial program -- Aldus
Corp.'s FreeHand drawing software for
the Mac -- last October. Until now,
Aldus was the only commercial software
firm to publicly report a virus problem.
Last March, an earlier version of
FreeHand was infected by different
virus.
--
VIRUSES TEST COMPUTER CRIME LAWS
(Dec. 20)
The perpetration of computer viruses
is a punishable crime that is generally,
although not specifically, addressed by
a number of federal and state criminal
statues. Despite this, law enforcement
officials are finding that successful
prosecutions tend to decrease
dramatically as the sophistication of
the misdeed increases, reports the Los
Angeles Times.
"There are a lot of hairy evidence
questions with computer crimes," said
Jack Bologna, head of the International
Association of Computer Crime
Investigators. "Documentation today is
different than when you had a complete
paper trail. It is now possible to cause
a computer crime in which you destroy
all the evidence."
Traditionally, computer thieves have
been tried under ordinary grand theft
and fraud sections of state criminal
codes, but since 1984 (a year after the
debut of the movie "War Games"), the
laws have been changing to keep up with
the state of technology. Now, 48 states
and the federal government have specific
laws governing against computer crime.
Statistics show that an overwhelming
majority of cases that reach a judge
result in convictions, according to the
National Center for Computer Crime Data.
But most of the crimes are never
prosecuted because of lack of sufficient
evidence or because the victims, usually
large corporations, are too embarrassed
to notify authorities. But to date,
there have been no prosecutions of
computer viruses, which first emerged
about 18 months ago.
Even the notorious case of Robert T.
Morris Jr., the 23- year-old Cornell
University graduate student suspected of
creating the virus that madly replicated
across the vast network of military and
university computers this fall, has not
yet been prosecuted. The Times notes
that the FBI is now studying four
federal criminal statutes to determine
whether it should prosecute Morris.
Authorities concede the case is fraught
with legal problems, meaning it is
possible he will never be prosecuted.
--Cathryn Conroy
Online Today OLT-1512
ONLINE TODAY'S BACKGROUNDER: COMPUTER
"VIRUS," PART FOUR
(Editor's note: Computer "viruses" --
self-propagating programs that spread
from one machine to another and from one
disk to another -- have been very much
in the news. This file contains
virus-related stories carried by Online
Today's electronic edition beginning in
January 1989.)
VIRUS STRIKES UNIVERSITY OF OKLA.
(Jan. 11)
Officials at the University of
Oklahoma in Norman, Okla., blame a
computer virus for ruining several
students' papers and shutting down
terminals and printers in a student lab
at the university library.
Manager Donald Hudson of Bizzell
Memorial Library told The Associated
Press that officials have purged the
library computers of the virus. He said
the library also has set up extra
computers at its lab entrance to inspect
students' programs for viruses before
they are used on other computers.
The wire service said the library's
virus probably got into a computer
through a student's disk, but the
student may not have known the virus was
there. Hudson said the library's
computers are not linked to any
off-campus systems. However, the
computers are connected through
printers, which he said allowed the
virus to spread.
--
"FRIDAY THE 13TH" VIRUS STRIKES
(Jan. 13)
Data files and programs on personal
computers throughout Britain apparently
were destroyed today by what was termed
a "Friday the 13th" computer virus.
Alan Solomon, managing director of S
and S Enterprises, a British data
recovery center, told The Associated
Press that hundreds of users of IBM and
compatible PCs reported the virus, which
he said might be a new species.
Solomon, who also is chairman of an
IBM users group, told the wire service
that phone lines to the center were busy
with calls for help from businesses and
individuals whose computers were struck
by the virus.
"It has been frisky," he said, "and
hundreds of people, including a large
firm with over 400 computers, have
telephoned with their problems."
S and S hopes to figure out how the
virus operates and then attempt to
disable it. "The important thing is not
to panic and start trying to delete
everything in a bid to remove the
virus," Solomon said. "It is just a
pesky nuisance and is causing a lot of
problems today."
--
"FRIDAY THE 13TH" VIRUS MAY BE NEW
VERSION OF ONE FROM ISRAEL
(Jan. 14)
Investigators think the "Friday the
13th" virus that struck Britain
yesterday might be a new version of the
one that stymied computers at the Hebrew
University in Jerusalem on another
Friday the 13th last May.
As reported here yesterday (GO
OLT-308), hundreds of British IBM PCs
and compatibles were struck by the
virus, which garbled data and deleted
files.
Jonathan Randal of The Washington Post
Foreign Service reports the program is
being called the "1,813" variety,
because of the number of unwanted bytes
it adds to infected software.
He says the specialists are convinced
the program "is the brainchild of a
mischievous -- and undetected --
computer hacker at Hebrew University."
Alan Solomon, who runs the IBM
Personal Computer User Group near
London, told the Post wire service that
1,813 was relatively benign, "very
minor, just a nuisance or a practical
joke."
Solomon said he and other specialists
first noted the virus in Britain several
months ago when it began infecting
computers. Solomon's group wrote
security software with it distributed
free, so, he said, the virus basically
struck only the unlucky users who didn't
take precautions.
--
LIBRARY OF CONGRESS VIRUS VICTIM
(Jan. 27)
An official with the US Library of
Congress acknowledges that the
institution was struck by a computer
virus last fall.
Speaking to a delegation of Japanese
computer specialists touring Washington,
D.C., yesterday, Glenn McLoughlin of the
library's Congressional Research Service
disclosed that a virus was spotted and
killed out of the main catalog computer
system before it could inflict any
damage to data files.
Associated Press writer Barton Reppert
quoted McLoughlin as saying, "It was
identified before it could spread or
permanently erase any data."
McLoughlin added the virus was found
after personnel logged onto computers at
the library and noticed they had
substantially less memory space to work
with than they had expected.
He said the virus apparently entered
the system through software obtained
from the University of Maryland. "We
don't know," he said, "whether it was a
student at Maryland, or whether Maryland
had gotten it from somebody else. That
was simply the latest point of departure
for the software."
Meanwhile, Reppert also quoted
computer security specialist Lance J.
Hoffman of George Washington University
as saying the world may be heading
toward a catastrophic computer failure
unless more effective measures are taken
to combat viruses.
Comparing last November's virus
assault on the Pentagon's ARPANET
network to a nuclear accident that
"could have had very disastrous
consequences for our society," Hoffman
told the visitors, "It wasn't Chernobyl
yet, it was the Three Mile Island -- it
woke a lot of people up."
Online Today has been following
reports of viruses for more than a year
now. For background files, type GO
OLT-2039 at any prompt. And for other
stories from The Associated Press, type
GO APO.
--
CHRISTMAS VIRUS FROM FRANCE?
(Jan 30)
A little noticed software worm, the
so-called Christmas Decnet virus, may
have originated from Germany or France.
Apparently released at the end of
December, the worm replicated itself
only onto Digital Equipment Corp.
computers that were connected to Decnet,
a national communications network often
accessed by DEC users.
At least one system administrator has
noticed that the worm collected
identifying information from the invaded
terminals and electronically mailed that
information to a network node in France.
The assumption is that the French node
collected the information and,
subsequently, used it to propagate the
worm throughout the network.
The so-called German connection came
about because of the way the worm
presents text information on invaded
terminals. Though written in English,
the worm message is said to contain
strong indications of Germanic language
syntax. Predictably, a German
"connection" has led to speculation that
Germany's Chaos Computer Club may have
had a role in worm's creation.
--
FEDERAL GROUP FIGHTS VIRUSES
(Feb. 3)
The Computer Emergency Response Team
(CERT) has been formed by the Department
of Defense and hopes to find volunteer
computer experts who will help federal
agencies fight computer viruses. CERT's
group of UNIX experts are expected to
help users when they encounter network
problems brought on by worms or viruses.
A temporary group that was formed last
year after Robert T. Morris Jr.
apparently let loose a bug that infected
the Department of Defense's Advanced
Project Agency network (ARPANET), will
be disbanded.
The Morris case has some confusing
aspects in that some computer groups
have accused federal prosecutors with
reacting hysterically to the ARPANET
infection. It has been pointed out that
the so-called Morris infection was not a
virus, and that evidence indicates it
was released onto the federal network
accidentally.
CERT is looking toward ARPANET members
to supply its volunteers. Among those
users are federal agencies, the Software
Engineering Institute and a number of
federally-funded learning institutions.
Additional information is available from
CERT at 412/268- 7090.
--
COMPUTER VIRUSES HOT ISSUE IN CONGRESS
(Feb. 3)
One of the hottest high-tech issues on
Capitol Hill is stemming the plague of
computer viruses.
According to Government Computer News,
Rep. Wally Herger (R-Calif.) has pledged
to reintroduce a computer virus bill
that failed to pass before the 100th
Congress adjourned this past fall. The
measure will create penalties for people
who inject viruses into computer
systems.
"Unfortunately, federal penalties for
those who plant these deadly programs do
not currently exist," said Herger. "As a
result, experts agree that there is
little reason for a hacker to even think
twice about planting a virus." (Herger
then later corrected himself saying
those who plant viruses are not hackers
but rather criminals.)
GCN notes that the bill calls for
prison sentences of up to 10 years and
extensive fines for anyone convicted of
spreading a computer virus. It would
also allow for civil suits so people and
businesses could seek reimbursement for
system damage caused by a virus attack.
If the bill is referred to the
Judiciary Committee, as is likely, it
stands a reasonable chance of passage.
Rep. Jack Brooks, a longtime technology
supporter, is the new head of that
committee and he has already stated that
the new position will not dampen his
high-tech interests.
-- Cathryn Conroy CONGRESS LOOKS AT
ANOTHER COMPUTER PROTECTION BILL
(Feb. 27)
The Computer Protection Act (HR 287)
is the latest attempt by Congress to
battle computer viruses and other forms
of sabotage on the high-tech machines.
Introduced by Rep. Tom McMillan
(D-Md.), the bill calls for a maximum of
15 years in prison with fines of
$100,000 to $250,000 for those convicted
of tampering with a computer, be it
hardware or software.
"With the proliferation of various
techniques to tamper with computers, we
need to fill the void in federal law to
deal with these criminals," said
McMillan. "This legislation will send
the clear signal that infiltrating
computers is not just a cute trick; it's
against the law."
The bill, which has been referred to
the Judiciary Committee, is written
quite broadly and is open to
interpretation.
-- Cathryn Conroy
VIRUS CREATOR FOUND DEAD AT 39
(March 17)
A Californian who said he and one of
his students created the first computer
virus seven years ago as an experiment
has been found dead at 39 following an
apparent aneurysm of the brain.
Jim Hauser of San Luis Obispo died
Sunday night or Monday morning, the
local Deputy Coroner, Ray Connelly, told
The Associated Press.
Hauser once said he and a student
developed the first virus in 1982,
designing it to give users a "guided
tour" of an Apple II. He said that,
while his own program was harmless, he
saw the potentially destructive
capability of what he termed an
"electronic hitchhiker" that could
attach itself to programs without being
detected and sneak into private systems.
--
HOSPITAL STRUCK BY COMPUTER VIRUS
(March 22)
Data on two Apple Macintoshes used by
a Michigan hospital was altered recently
by one or more computer viruses, at
least one of which apparently traveled
into the system on a new hard disk that
the institution bought.
In its latest edition, the prestigious
New England Journal of Medicine quotes a
letter from a radiologist at William
Beaumont Hospitals in Royal Oak, Mich.,
that describes what happened when two
viruses infected computers used to store
and read nuclear scans that are taken to
diagnose patients' diseases.
The radiologist, Dr. Jack E. Juni,
said one of the viruses was relatively
benign, making copies of itself while
leaving other data alone. However, the
second virus inserted itself into
programs and directories of patient
information and made the machines
malfunction.
"No lasting harm was done by this,"
Juni wrote, because the hospital had
backups, "but there certainly was the
potential."
Science writer Daniel Q. Haney of The
Associated Press quoted Juni's letter as
saying about three-quarters of the
programs stored in the two Mac II PCs
were infected.
Haney said Juni did not know the
origin of the less harmful virus, "but
the more venal of the two apparently was
on the hard disk of one of the computers
when the hospital bought it new. ... The
virus spread from one computer to
another when a doctor used a word
processing program on both machines
while writing a medical paper."
Juni said the hard disk in question
was manufactured by CMS Enhancements of
Tustin, Calif.
CMS spokesman Ted James confirmed for
AP that a virus was inadvertently put on
600 hard disks last October.
Says Haney, "The virus had
contaminated a program used to format
the hard disks. ... It apparently got
into the company's plant on a hard disk
that had been returned for servicing.
James said that of the 600 virus-tainted
disks, 200 were shipped to dealers, and
four were sold to customers."
James also said the virus was "as
harmless as it's possible to be," that
it merely inserted a small piece of
extra computer code on hard disks but
did not reproduce or tamper with other
material on the disk. James told AP he
did not think the Michigan hospital's
problems actually were caused by that
virus.
--
MORE HOSPITALS STRUCK BY VIRUS
(March 23)
The latest computer virus attack, this
one on hospital systems, apparently was
more far- reaching than originally
thought.
As reported here, a radiologist wrote
a letter to the New England Journal of
Medicine detailing how data on two Apple
Macintoshes used by the William Beaumont
Hospital in Royal Oak, Mich., was
altered by one or more computer viruses.
At least one of the viruses, he said,
apparently traveled into the system on a
new hard disk the institution bought.
Now Science writer Rob Stein of United
Press International says the virus --
possibly another incarnation of the
so-called "nVIR" virus -- infected
computers at three Michigan hospitals
last fall. Besides the Royal Oak
facility, computers at another William
Beaumont Hospital in Troy, Mich., were
infected as were some desktop units at
the University of Michigan Medical
Center in Ann Arbor.
Stein also quoted Paul Pomes, a virus
expert at the University of Illinois in
Champaign, as saying this was the first
case he had heard of in which a virus
had disrupted a computer used for
patient care or diagnosis in a hospital.
However, he added such disruptions could
become more common as personal computers
are used more widely in hospitals.
The virus did not harm any patients
but reportedly did delay diagnoses by
shutting down computers, creating files
of non-existent patients and garbling
names on patient records, which could
have caused more serious problems.
Dr. Jack Juni, the radiology who
reported the problem in the medical
journal, said the virus "definitely did
affect care in delaying things and it
could have affected care in terms of
losing this information completely." He
added that if patient information had
been lost, the virus could have forced
doctors to repeat tests that involve
exposing patients to radiation. Phony
and garbled files could have caused a
mix-up in patient diagnosis. "This was
information we were using to base
diagnoses on," he said. "We were lucky
and caught it in time."
Juni said the virus surfaced when a
computer used to display images used to
diagnose cancer and other diseases began
to malfunction at the 250-bed Troy
hospital last August. In October, Juni
discovered a virus in the computer in
the Troy hospital. The next day, he
found the same virus in a similar
computer in the 1,200-bed Royal Oak
facility.
As noted, the virus seems to have
gotten into the systems through a new
hard disk the hospitals bought, then
spread via floppy disks.
The provider of the disk, CMS
Enhancements Inc. of Tustin, Calif.,
said it found a virus in a number of
disks, removed the virus from the disks
that had not been sent to customers and
sent replacement programs to
distributors that had received some 200
similar disks that already had been
shipped.
However, CMS spokesman Ted James
described the virus his company found as
harmless, adding he doubted it could
have caused the problems Juni described.
"It was a simple non-harmful virus,"
James told UPI, "that had been created
by a software programmer as a
demonstration of how viruses can infect
a computer."
Juni, however, maintains the version
of the virus he discovered was a mutant,
damaging version of what originally had
been written as a harmless virus known
as "nVIR." He added he also found a
second virus that apparently was
harmless. He did not know where the
second virus originated.
--
GOVERNMENT PLANS FOR ANTI-VIRUS CENTERS
(March 24)
Federal anti-virus response centers
that will provide authentic solutions to
virus attacks as they occur will be
developed by the National Institute of
Standards and Technology, reports
Government Computer News.
The centers will rely on unclassified
material throughout the federal
government and provide common services
and communication among other response
centers.
NIST will urge agencies to establish a
network of centers, each of which will
service a different use or technological
constituency. They will offer emergency
response support to users, including
problem-solving and identification of
resources. GCN notes they will also aid
in routine information sharing and help
identify problems not considered
immediately dangerous, but which can
make users or a system vulnerable to
sabotage.
A prototype center called the Computer
Emergency Response Team is already
operational at the Defense Advanced
Research Projects Agency and will serve
as a model for the others.
Although NIST and the Department of
Energy will provide start-up funds, each
agency will have to financially support
its response center.
--Cathryn Conroy
ILLINOIS STUDIES VIRUS LAW
(April 15)
The virus panic in some state
legislatures continues as anti- virus
legislation is introduced in Illinois.
Illinois House Bill 498 has been
drafted by Rep. Ellis B. Levin
(D-Chicago) to provide criminal
penalties for loosing a so-called
computer virus upon the public. The
bill is similar to one that has been
introduced in Congress.
Rep. Levin's bill provides that a
person commits "'computer tampering by
program' when he knowingly: inserts into
a computer program information or
commands which, when the program is run,
causes or is designed to cause the loss,
damage or disruption of a computer or
its data, programs or property to
another person; or provides or offers
such a program to another person."
Conviction under the legislation would
result in a felony. A second conviction
would bring harsher penalties.
Currently, the bill is awaiting a
hearing in the Illinois' House Judiciary
II Committee. It is expected that
testimony on HB 498 will be scheduled
sometime during April.
--
ERRORS, NOT CRACKERS, MAIN THREAT
(April 28)
A panel of computer security experts
has concluded that careless users pose a
greater threat than malicious saboteurs
to corporate and government computer
networks.
Citing the well-publicized allegations
that Cornell University graduate student
Robert T. Morris Jr. created a worm
program last November that swept through
some 6,000 networked systems, Robert H.
Courtney Jr. commented, "It was a
network that no one attempted to
secure."
According to business writer Heather
Clancy of United Press International,
Courtney, president of Robert Courtney
Inc. computer security firm, said the
openness of Internet was the primary
reason it was popular among computer
crackers, some of whom are less talented
or more careless than others.
"People making mistakes are going to
remain our single biggest security
problems," he said. "Crooks can never,
ever catch up."
Sharing the panel discussion in New
York, Dennis D. Steinauer, a computer
scientist with the National Institute
for Standards and Technologies, added
that network users should not rely only
on technological solutions for security
breaks.
"Not everyone needs all security
products and mechanisms out there," he
said. "The market is not as large as it
is for networking equipment in general."
He added that a standard set of program
guidelines, applicable to all types of
networks, should be created to prevent
mishaps. "There has been a tremendous
amount of work in computer (operating)
standards. The same thing is now
happening in security."
Fellow panelist Leslie Forman, AT&T's
division manager for the data systems
group, said companies can insure against
possible security problems by training
employees how to use computers properly
and tracking users to make sure they
aren't making potentially destructive
errors. "It's not a single home run that
is going to produce security in a
network," she said. "It's a lot of
little bunts."
--
EXPERTS TESTIFY ON COMPUTER CRIME
(May 16)
Electronic "burglar alarms" are needed
to protect US military and civilian
computer systems, Clifford Stoll, an
astronomer at the Harvard- Smithsonian
Center for Astrophysics, told a Senate
Judiciary subcommittee hearing on
computer crimes, reports United Press
International.
Stoll was the alert scientist who
detected a 75-cent accounting error in
August 1986 in a computer program at
Lawrence Berkeley Laboratory that led
him to discover a nationwide computer
system had been electronically invaded
by West Germans.
"This was a thief stealing information
from our country," he said. "It deeply
bothers me that there are reprobates who
say, `I will steal anything I can and
sell it to whoever I want to.' It opened
my eyes."
Following his discovery, Stoll was so
immersed in monitoring the illegal
activity that he was unable to do any
astronomy work for a year.
"People kind of look at this as a
prank," Stoll said. "It's kind of funny
on the one hand. But it's people's work
that's getting wiped out."
The West German computer criminals,
who were later determined to have been
working for Soviet intelligence,
searched the US computer network for
information on the Strategic Defense
Initiative, the North American Defense
Command and the US KH-11 spy satellite.
They also withdrew information from
military computers in Alabama and
California, although no classified
information was on any of the computer
systems.
William Sessions, FBI director, also
appeared before the Senate subcommittee
and said the bureau is setting up a team
to concentrate on the problem.
He explained that computer crimes are
among "the most elusive to investigate"
since they are often "invisible." The
FBI has trained more than 500 agents in
this area.
UPI notes that Sessions agreed to
submit his recommendations to Sen.
Patrick Leahy (D-Vt.), the subcommittee
chairman, for new laws that could be
used to protect sensitive computer
networks from viruses. Currently, there
are no federal laws barring computer
viruses.
The FBI is working with other federal
agencies to assess the threat of such
crimes to business and national
security.
William Bayes, assistant FBI director,
told the senators he likens a computer
to a house with locks on the door. He
explained that he has placed a burglar
alarm on his computer at Berkeley,
programming it to phone him when someone
tries to enter it. He said more
computer burglar alarms may be needed.
-- Cathryn Conroy
MASS. CONSIDERS NEW INTRUSION LAW
(May 21)
In Boston, a state senator has offered
a bill that would make it a violation of
Massachusetts law to enter a computer
without authorization. It also would
level penalties against those caught
planting so-called computer "viruses."
Sen. William Keating, the bill's
sponsor, told The Associated Press his
measure considers this new category of
crime to be analogous to breaking into a
building.
"It's an attempt," Keating added, "to
put on the statutes a law that would
penalize people for destruction or
deliberate modification or interference
with computer properties. It clarifies
the criminal nature of the wrongdoing
and, I think, in that sense serves as a
deterrent and makes clear that this kind
of behavior is criminal activity."
The senator credits a constituent,
Elissa Royal, with the idea for the
bill. Royal, whose background is in
hospital administration, told AP, "I
heard about (computer) viruses on the
news. My first thought was the clinical
pathology program. Our doctors would
look at it and make all these decisions
without looking at the hard copy. I
thought, what if some malevolent, bright
little hacker got into the system and
changed the information? How many people
would be injured or die?"
Keating's bill would increase
penalties depending on whether the
attacker merely entered a computer,
interfered with its operations or
destroyed data. In the most serious
case, a person found guilty of knowingly
releasing a virus would be subject to a
maximum of 10 years in prison or a
$25,000 fine.
AP says the bill is pending in
committee, as staff members are refining
its language to carefully define the
term "virus."
--
COMPUTER VACCINE MARKET THRIVES ON USER
FEAR
(May 23)
The computer protection market is
thriving. The reason? Fear. Fear of the
spread of computer viruses and worms has
caused a boom in products that are
designed to protect unwitting users from
the hazards of high- tech diseases.
According to the Dallas Morning News,
there is a surging cottage industry
devoted to creating "flu shots" and
"vaccines" in the form of software and
hardware; however, many of these cures
are nothing more than placebos.
"There's a protection racket springing
up," said Laura A. DiDio, senior editor
of Network World, the trade publication
that sponsored a recent executive
roundtable conference in Dallas on
"Network Terrorism."
Last year alone, American businesses
lost a whopping $555.5 million, 930
years of human endeavor and 15 years of
computer time from unauthorized access
to computers, according to statistics
released by the National Center for
computer Crime Data in Los Angeles,
Calif.
The most difficult systems to protect
against viruses are computer networks
since they distribute computing power
throughout an organization. Despite the
threat, sales are thriving. Market
Intelligence Research says sales of
personal computing networking equipment
grew 50 percent last year and are
expected to grow another 41 percent this
year to $929.5 million.
Meanwhile, the Computer Virus Industry
Association says that the number of
computer devices infected by viruses in
a given month grew last year from about
1,000 in January to nearly 20,000 in
November and remained above 15,000 in
December.
-- Cathryn Conroy
PENDING COMPUTER LAWS CRITICIZED
(June 18)
Computer attorney Jonathan Wallace
says that the virus hysteria still
hasn't quieted down and that legislation
that will be reintroduced in Congress
this year is vague and poorly drafted.
Noting that at least one state, New
York, is also considering similar
legislation, Wallace says that
legislators may have overlooked existing
laws that apply to "software weapons."
In a newsletter sent out to clients,
Wallace notes that both the Electronic
Communications Privacy Act (ECPA) and
the Computer Fraud and Abuse Act (CFAA)
cover the vast majority of software
crimes.
Wallace points out that both the ECPA
and the CFAA already impose criminal
penalties on illegal actions. Even the
Senate Judiciary Committee has refutted
the idea that more federal laws are
needed. "Why don't we give existing laws
a chance to work, before rushing off to
create new ones," Wallace asks.
Wallace is the editor of Computer Law
Letter and is an Assistant System
Administrator on CompuServe's Legal
Forum (GO LAWSIG).
--
NEW VIRUS HITS THAI COMPUTERS
(June 27)
A newspaper in Bangkok is reporting
that a new computer virus, said to be
the most destructive yet discovered, has
struck computer systems in Thailand.
According to the Newsbytes News
Service, computer security specialist
John Dehaven has told The Bangkok Post,
"This is a very subtle virus that can
lay dormant, literally, for years."
The wire service says that two Thai
banks and several faculties at
Chulalongkorn University were hit by the
rogue program -- called the "Israeli
virus," because it was first detected
there -- at the beginning of last month.
Newsbytes says the infection spreads
quickly through any computer once it is
activated.
--
CONGRESS STUDIES COMPUTER VIRUSES
(July 21)
The Congress is taking a hard look at
a new report that says major computer
networks remain vulnerable to computer
viruses that are capable of crippling
communications and stopping the nation's
telecommunications infrastructure dead
in its tracks.
Rep. Edward Markey (D-Mass.), chairman
of the House telecommunications
subcommittee, told a hearing earlier
this week that federal legislation may
be needed to ease the threats posed by
computer viruses.
"The risk and fear of computer-based
sabotage must be reduced to an
acceptable level before we can
reasonably expect our national networks
to accomplish the purposes for which
they were created," Markey said during a
hearing Wednesday on the new
congressional study.
"We must develop policies that ensure
(network's) secure operation and the
individuals' rights to privacy as
computer network technologies and
applications proliferate," he added.
The report by the General Accounting
Office examined last year's virus attack
that shut down the massive Internet
system, which links 60,000 university,
government and industry research
computers.
The GAO found that Internet and other
similar systems remain open to attack
with much more serious results than the
temporary shutdown experienced by
Internet.
The GAO warned that the Internet
virus, a "worm" which recopied itself
until it exhausted all of the systems
available memory, was relatively mild
compared to other more destructive
viruses.
"A few changes to the virus program
could have resulted in widespread damage
and compromise," the GAO report said.
"With a slightly enhanced program, the
virus could have erased files on
infected computers or remained
undetected for weeks, surreptitiously
changing information on computer files,"
the report continued.
The GAO recommended the president's
science advisor and the Office of
Science and Technology Policy should
take the lead in developing new security
for Internet.
In addition, the report said Congress
should consider changes to the Computer
Fraud and Abuse Act of 1986, or the Wire
Fraud Act, to make it easier to bring
charges against computer saboteurs.
Joining in sounding the alarm at the
hearing was John Landry, executive vice
president of Cullinet Software of
Westwood, Mass., who spoke on behalf of
ADAPSO.
"The range of threats posed by
viruses, worms and their kin is limited
only by the destructive imagination of
their authors," Landry said. "Existing
computer security systems often provide
only minimal protection against a
determined attack."
Landry agreed the Internet attack
could have been much worse. He said
viruses have been found that can modify
data and corrupt information in
computers by means as simple as moving
decimal points one place to the left or
right.
One recently discovered virus, he
said, can increase disk access speed,
resulting in the wearing out of disk
drives. They also have been linked to
"embezzlement, fraud, industrial
espionage and, more recently,
international political espionage," he
said.
"Virus attacks can be life
threatening," Landry said, citing a
recent attack on a computer used to
control a medical experiment. "The risk
of loss of life resulting from
infections of airline traffic control or
nuclear plant monitoring systems is
easily imaginable," he said.
Landry said ADAPSO endorses the
congressional drive toward tightening
existing law to ensure that computer
viruses are covered along with other
computer abuses.
--J. Scott Orr
GLOSSARY OF VIRUS-RELATED TERMS
(July 21)
Until last year's computer virus
attack on the massive Internet network
made headlines, computer sabotage
attracted little attention outside
computer and telecommunications circles.
Today "computer virus" has become a
blanket term covering a wide range of
software threats.
ADAPSO, the computer software and
services industry association, believes
the term has been thrown around a little
too loosely. Here, then, is ADAPSO's
computer virus glossary:
-:- COMPUTER VIRUS, a computer program
that attaches itself to a legitimate,
executable program, then reproduces
itself when the program is run.
-:- TROJAN HORSE, a piece of
unauthorized code hidden within a
legitimate program that, like a virus,
may execute immediately or be linked to
a certain time or event. A trojan horse,
however, does not self-replicate.
-:- WORM, an infection that enters a
computer system, typically through a
security loophole, and searches for idle
computer memory. As in the Internet
case, the worm recopies itself to use up
available memory.
-:- TRAPDOOR, a program written to
provide future access to computer
systems. These are typical entryways for
worms.
-:- TIME BOMB, a set of computer
instructions entered into a system or
piece of software that are designed to
go off at a predetermined time. April
Fool's Day and Friday the 13th have been
popular times for time bomb's to go off.
-:- LOGIC BOMB, similar to a time
bomb, but linked instead to a certain
event, such as the execution of a
particular sequence of commands.
-:- CHAOS CLUB, a West German
organization that some have alleged was
formed to wreak havoc on computer
systems through the use of viruses and
their kin.
--J. Scott Orr
ONLINE TODAY'S BACKGROUNDER: COMPUTER
"VIRUS," PART FIVE
(Editor's note: Computer "viruses" --
self-propagating programs that spread
from one machine to another and from one
disk to another -- have been very much
in the news. This file contains
virus-related stories carried by Online
Today's electronic edition beginning on
July 31, 1989, the first time word was
received of the so-called "Datacrime" or
"Columbus Day virus.")
RESEARCHER UNCOVERS OCT. 12 VIRUS
(July 31)
An official with a British firm that
markets anti-virus software says the
company has uncovered a new virus called
"Datacrime" is set to attack MS-DOS
systems starting Oct. 12.
Dr. Jan Hruska of Sophos UK tells
Computergram International the virus
apparently appends itself to .COM
(command) files on MS-DOS systems.
"Operating on a trigger mechanism," CI
says, "the virus reformats track 0 of
the hard disk on or after Oct. 12. It
has no year check and so will remain
active from Oct. 12 onwards destroying
or losing programs and data."
Hruska told the publication this is a
relatively new virus and that its
encrypted form reveals its name
("Datacrime") and its date of release,
last March 1.
Sophos markets a program called
Vaccine version 4 designed to detect
known viruses.
--
NIST FORMS COMPUTER SECURITY NETWORK
(Aug. 3)
The National Institute of Standards
and Technology is working with other
federal agencies to establish a
government-wide information network on
security incidents and issues, reports
Government Computer News.
Organized by NIST's Computer Security
Division, the network would supply the
latest information to agencies on
security threats, develop a program to
report and assess security incidents as
well as offer assistance.
Dennis Steinauer, evaluation group
manager of the Computer Security
Division, said the plan is a response to
the communications problems federal
agencies suffered during last November's
worm attack on Internet by Cornell
University graduate student Robert T.
Morris Jr.
In addition to NIST, the departments
of Energy, Justice and Transportation as
well as the National Science Foundation
and NASA are participating in the
project, which calls for each agency to
organize a security incident response
and resource center.
NIST's network would connect the
centers electronically, allowing them to
communicate with one another. Steinauer
said he wants to set up a master
database of contacts, phone numbers and
fax numbers to ensure communications.
One aspect of the plan calls for each
center to become expert in some specific
area of the technology, such as personal
computers, local area networks or
multiuser hosts.
"The answer is not some monolithic,
centralized command center for
government," Steinauer told GCN.
"Problems occur in specific user or
technology communities, and we see the
solutions evolving where the reaction is
by people who know the user community
and the environment."
He explained that the Computer
Security Act has helped increase
security awareness within the
government, but the emergence of
computer viruses, worms and other
sophisticated threats has demonstrated
the need for more advanced security
tools.
-- Cathryn Conroy
AUSTRALIAN CHARGED WITH CRACKING
(Aug. 14)
Australia is reporting its first
computer cracking arrest. A Melbourne
student is charged with computer
trespass and attempted criminal damage.
Authorities allege 32-year-old Deon
Barylak was seen loading a personal
computer with a disk that was later
found to possess a computer virus.
"Fortunately, it was stopped before it
could spread, which is why the charge
was only attempted criminal damage,"
senior detective Maurice Lynn told Gavin
Atkins for a report in Newsbytes News
Service.
The wire service said Barylak could
face a maximum of 100 years' jail and a
fine.
Also police expect to make further
arrests in connection with the case.
Authorities said Barylak also faces
charges of possessing computer equipment
allegedly stolen from a community
center.
--
INTERNET VIRUS BACK?
(Sept. 4)
Apparently, neither the threat of
criminal sanctions nor the hazards of
investigation by the FBI is enough to
keep the Internet computer
communications network secure from
intrusion. The Department of Defense
agency responsible for monitoring
Internet security has issued a warning
that unauthorized system activity
recently has been detected at a number
of sites.
The Computer Emergency Response Team
(CERT) says that the activity has been
evident for some months and that
security on some networked computers may
have been compromised. In a warning
broadcast to the Internet, CERT says
that the problem is spreading.
Internet first came to general
attention when a came to much of the
computing communities attention when a
23-year-old Cornell University student
was said to be responsible for inserting
a software "worm" into the network. The
Department of Defense's Advanced Project
Agency network (ARPANET) also was
infected and CERT was formed to
safeguard networks used or accessed by
DoD emplyees and contractors.
In its warning about recent
intrusions, CERT says that several
computers have had their network
communications programs replaced with
hacked versions that surreptitiously
capture passwords used on remote
systems.
"It appears that access has been
gained to many of the machines which
have appeared in some of these session
logs," says a broadcast CERT warning.
"As a first step, frequent telnet
[communications program] users should
change their passwords immediately.
While there is no cause for panic, there
are a number of things that system
administrators can do to detect whether
the security on their machines has been
compromised using this approach and to
tighten security on their systems where
necessary."
CERT went on to suggest a number of
steps that could be taken to verify the
authenticity of existing programs on any
individual UNIX computer. Among those
was a suggestion to reload programs from
original installation media.
--
AIR FORCE WARNS ITS BASES OF POSSIBLE
"COLUMBUS DAY VIRUS"
(Sept. 10)
The US Air Force has warned its bases
across the country about a possible
computer virus reportedly set to strike
MS-DOS systems Oct. 12.
Warning of the so-called "Columbus Day
virus" was issued by the Air Force
Communications Command at Scott Air
Force Base, Ill., at the request of the
Office of Special Investigations.
OSI spokesman Sgt. Mike Grinnell in
Washington, D.C., told David Tortorano
of United Press International the
advisory was issued so computer
operators could guard against the
alleged virus. "We're warning the
military about this," Grinnell said,
"but anybody that uses MS-DOS systems
can be affected."
As reported here July 31, Dr. Jan
Hruska, an official with a British firm
called Sophos UK, which markets
anti-virus software, said his company
had uncovered a new virus called
"Datacrime." Hruska told Computergram
International at the time that the virus
apparently appends itself to .COM
(command) files on MS-DOS systems.
Said CI, "Operating on a trigger
mechanism, the virus reformats track 0
of the hard disk on or after Oct. 12. It
has no year check and so will remain
active from Oct. 12 onwards destroying
or losing programs and data." Hruska
told the publication this was a
relatively new virus and that its
encrypted form revealed its name
("Datacrime") and its date of release,
last March 1.
Meanwhile, Air Force spokeswoman Lynn
Helmintoller at Hurlburt Field near Fort
Walton Beach, Fla., told UPI that
computer operators there had been
directed to begin making backup copies
of files on floppy disks just in case.
She said the warning was received at the
base Aug. 28.
Staff Sgt. Carl Shogren, in charge of
the small computer technology center at
Hurlburt, told Tortorano no classified
data would be affected by the possible
virus attack because the disks used for
classified work are different from those
that might be struck.
UPI quoted officials at Scott Air
Force Base as saying the warning was
sent to every base with a communications
command unit, but that they did not know
how many bases were involved.
--
COMPUTER VIRUSES PLAGUE CONGRESS
(Sept. 11)
Although Congress recently passed the
Computer Security Act to force federal
agencies to guard against high-tech
break- ins and computer viruses, the
legislators may soon realize they made a
costly mistake. The law applies to all
federal agencies -- except Congress
itself. And according to Government
Computer News, Capitol Hill has been the
victim of several recent virus attacks.
One virus, for instance, emerged about
a year ago in the Apple Macintosh
computers of several House offices
causing unexplained system crashes. A
steep bill of some $100,000 was incurred
before experts were confident the
plague, now known as Scores, was
stopped. However, it does still lurk in
the depths of the computers, notes GCN,
causing occasional malfunctions.
Dave Gaydos, Congress' computer
security manager, says the sources of
many viruses may never be known, since
some 10,000 programmers are capable of
producing them.
Capitol Hill legislators and staff
members are only now becoming aware of
the potential danger of viruses as more
offices are exploring ways to connect
with online database services and with
each other through local area networks.
GCN reports that last February, a
California congressional office was the
victim of a virus, caught while using a
so-called vaccine program meant to
detect intruders into the system.
"I used to laugh about viruses," said
Dewayne Basnett, a systems specialist on
Capitol Hill. "But now when you ask me
about them, I get very angry. I think
of all the time and effort expended to
repair the damage they do."
According to GCN, many of the 3,000
House employees with computers are
ignorant of the risks and unable to take
basic precautions. Although various
computer specialists are trying to
inform Hill users of computer security
issues and offer training sessions,
there is no broad support from the
legislators themselves for such actions.
"We are working to alert people to the
dangers," said Gaydos, "but it may take
an incident like a destructive virus to
move [Congress] to take precautions."
-- Cathryn Conroy
VIRUS HITS AUSTRALIA
(Sept. 12)
Australian authorities are said to be
confused about the origin of a supposed
computer virus that has been making the
rounds of computer installations in the
South Pacific. An Australian newspaper,
The Dominion, says that sensitive data
in Defense Department computers has been
destroyed by the virus.
Dubbed the Marijuana virus because of
the pro-drug message that is displayed
before any data is erased, it is thought
that the misbehaving bug originated in
New Zealand. Some have even suggested
that the program was purposely
introduced into Australian Defense
computers by agents of New Zealand, a
contention that a Defense Department
spokesman branded as "irresponsible."
The two South Pacific nations have had
strong disagreements about defense
matters, including recent joint
maneuvers in the area by Australian and
US forces.
A more likely explanation for the
intrusion into Defense computers is the
likelihood that Australian security
specialists were examining the virus
when they inadvertently released it into
their own security system. The Marijuana
virus is known to have been infecting
computers in the country for at least
three months and its only known
appearance in government computers
occurred in a Defense sub-department
responsible for the investigation and
prevention of computer viruses.
--
VIRUS THREAT ABSURDLY OVERBLOWN, SAY
EXPERTS
(Sept. 18)
The so-called "Columbus Day Virus"
purportedly set to destructively attack
MS-DOS computers on Oct. 13 has computer
users -- including the US military --
scampering to protect their machines.
But according to The Washington Post,
the threat is absurdly overblown with
less than 10 verified sightings of the
virus in a country with tens of millions
of computers.
"At this point, the panic seems to
have been more destructive than any
virus itself," said Kenneth R. Van Wyk,
a security specialist at Carnegie-Mellon
University's Software Engineering
Institute, who has been taking some 20
phone calls daily from callers seeking
advice on the subject.
Bill Vance, director of secure systems
for IBM Corp., told The Post, "If it was
out there in any number, it would be
spreading and be more noticeable."
He predicted Oct. 13 is not likely to
be "a major event."
As reported in Online Today, this
latest virus goes by several names,
including Datacrime, Friday the 13th and
Columbus Day. It lies dormant and
unnoticed in the computer until Oct. 13
and then activates when the user turns
on the machine. Appending itself to .COM
(command) files, the virus will
apparently reformats track 0 of the hard
disk.
The Post notes that the federal
government views viruses as a grave
threat to the nation's information
systems and has set in motion special
programs to guard computers against them
and to punish those who introduce them.
Centel Federal Systems in Reston, Va.,
a subsidiary of Centel Corp. of Chicago,
is taking the threat seriously,
operating a toll-free hotline staff by
six full-time staff members. More than
1,000 calls have already been received.
Tom Patterson, senior analyst for
Centel's security operations, began
working on the virus five weeks ago
after receiving a tip from an
acquaintance in Europe. He said he has
dissected a version of it and found it
can penetrate a number of software
products designed to keep viruses out.
Patterson told The Post that he found
the virus on one of the machines of a
Centel client. "The virus is out there.
It's real," he said.
Of course, where there's trouble,
there's also a way to make money. "The
more panicked people get," said Jude
Franklin, general manager of Planning
Research Corp.'s technology division,
"the more people who have solutions are
going to make money."
For $25 Centel is selling software
that searches for the virus. Patterson
said, however, the company is losing
money on the product and that the fee
only covers the cost of the disk,
shipping and handling. "I'm not trying
to hype this," he said. "I'm working
20-hour days to get the word out."
-- Cathryn Conroy
SICK SOFTWARE INFECTS 100 HOSPITALS
NATIONWIDE
(Sept. 20)
When a hospital bookkeeping computer
program could not figure out yesterday's
date, some 100 hospitals around the
country were forced to abandon their
computers and turn to pen and paper for
major bookkeeping and patient admissions
functions, reports The Washington Post.
Although there was no permanent loss
of data or threat to treatment of
patients, the hospital accounting
departments found themselves at the
mercy of a software bug that caused
major disruptions in the usual methods
of doing business.
The incident affected hospitals using
a program provided by Shared Medical
Systems Corp. of Pennsylvania. The firm
stores and processes information for
hospitals on its own mainframe computers
and provides software that is used on
IBM Corp. equipment.
According to The Post, the program
allows hospitals to automate the
ordering and reporting of laboratory
tests, but a glitch in the software
would not recognize the date Sept. 19,
1989 and "went into a loop" refusing to
function properly, explained A. Scott
Holmes, spokesman for Shared Medical
Systems.
The firm dubbed the bug a "birth
defect" as opposed to a "virus," since
it was an accidental fault put into the
program in its early days that later
threatened the system's health.
At the affected hospitals around the
country, patients were admitted with pen
and paper applications. Hospital
administrators admitted the process was
slower and caused some delay in
admissions, but patient care was never
compromised.
-- Cathryn Conroy
ARMY TO BEGIN VIRUS RESEARCH
(Sept. 21)
Viruses seem to be on the mind of
virtually every department administrator
in the federal government, and the US
Army is no exception. The Department of
the Army says it will begin funding for
basic research to safeguard against the
presence of computer viruses in
computerized weapons systems.
The Army says it will fund three
primary areas of research: computer
security, virus detection and the
development of anti-viral products.
Research awards will be made to US
businesses who are eligible to
participate in the Small Business
Innovation Research (SBIR) program.
The Army program, scheduled to begin
in fiscal year 1990, is at least
partially the result of Congressional
pressure. For some months,
Congressional staffers have been
soliciting comments about viruses and
their potential effect on the readiness
of the US defense computers.
Small businesses who would like to bid
on the viral research project may obtain
a copy of Program Solicitation 90.1 from
the Defense Technical Information Center
at 800/368-5211.
--
SO-CALLED "DATACRIME" VIRUS REPORTED ON
DANISH POSTGIRO NET
(Sept. 22)
The so-called "Datacrime" virus, said
to be aimed at MS-DOS system next month,
reportedly has turned up on the Danish
Postgiro network, a system of 260
personal computers described as the
largest such network in Scandinavia.
Computergram International, the
British newsletter that first reported
the existence of the Datacrime virus
back in July, says, ""Twenty specialists
are now having to check 200,000 floppy
disks to make sure that they are free
from the virus."
Datacrime is said to attach itself to
the MS-DOS .COM files and reformats
track zero of the hard disk, effectively
erasing it. However, as reported, some
experts are saying the threat of the
virus is absurdly overblown, that there
have been fewer than 10 verified
sightings of the virus in a country with
tens of millions of computers.
--
In a rare move, IBM says it is
releasing a program to check for
personal computer viruses in response,
in part, to customer worries about a
possible attack next week from the
so-called "Datacrime" virus.
"Up until the recent press hype, our
customers had not expressed any
tremendous interest (in viruses) over
and above what we already do in terms of
security products and awareness," Art
Gilbert, IBM's manager of secure systems
industry support, told business writer
Peter Coy of The Associated Press.
However, reports of a "Datacrime"
virus, rumored to be set to strike
MS-DOS systems, have caused what Coy
describes as "widespread alarm," even as
many experts say the virus is rare and a
relatively small number of PCs are
likely to be harmed.
IBM says it is releasing its Virus
Scanning Program for MS-DOS systems that
can spot three strains of the Datacrime
virus as well as more common viruses
that go by names such as the Jerusalem,
Lehigh, Bouncing Ball, Cascade and
Brain.
The $35 program is available directly
from IBM or from dealers, marketing
representatives and remarketers and,
according to Gilbert, will detect but
not eradicate viruses. Gilbert added
that installing a virus checker is not a
substitute for safe-computing practices
such as making backup copies of programs
and data and being cautious about
software of unknown origin.
Meanwhile, virus experts speaking with
Coy generally praised IBM's actions.
"It's about time one of the big boys
realized what a problem this is and did
something about it," said Ross
Greenberg, a New York consultant and
author of Flu-Shot Plus. "To date, all
the anti-virus activity is being done by
the mom and pops out there."
In addition, Pamela Kane, president of
Panda Systems in Wilmington, Del., and
author of a new book, "Virus
Protection," called the move "a very
important and responsible step."
As noted, experts are differing widely
over whether there is truly a threat
from the Datacrime virus. The alleged
virus -- also dubbed The Columbus Day
virus, because it reportedly is timed to
begin working on and after Oct. 12 --
supposedly cripples MS-DOS- based hard
disks by wiping out the directory's
partition table and file allocation
table.
Besides the IBM virus scanning
software, a number of public domain and
shareware efforts have been contributed
online, collected on CompuServe by the
IBM Systems/Utilities Forum (GO IBMSYS).
For more details, visit the forum, see
Library 0 and BROwse files with the
keyword of VIRUS (as in BRO/KEY:VIRUS).
--
DUTCH COMPUTERISTS FEAR 'DATACRIME'
VIRUS
(Oct. 7)
The "Datacrime"/Columbus Day virus,
which is being widely down-played in the
US, may be much more common in the
Netherlands. A Dutch newspaper reported
this week the virus had spread to 10
percent of the personal computers there.
"Those figures are possibly inflated,"
police spokesman Rob Brons of the Hague
told The Associated Press. Nonetheless,
police are doing brisk business with an
antidote to fight the alleged virus.
Brons said his department has sold
"hundreds" of $2.35 floppy disks with a
program that purportedly detects and
destroys the virus.
As reported, Datacrime has been
described as a virus set to destroy data
in MS-DOS systems on or after Oct. 12.
AP notes that in the US there have been
fewer than a dozen confirmed sightings
of the dormant virus by experts who
disassembled it.
The wire service also quotes Joe
Hirst, a British expert on viruses, as
saying some now believe the virus was
created by an unidentified Austrian
computerist. He added that as far as he
knew the Netherlands was the only
European country in which the virus had
been spotted.
--
BY JOVE, THAT'S IT! DATACRIME VIRUS IS
THE VIKINGS' REVENGE
(Oct. 10)
Computergram International has a
tongue-in-cheek theory on the origin of
that nasty Datacrime virus which is said
to be poised to strike MS-DOS computers
this week.
"The latest," the British computer
journal reports in today's edition, "is
that it may have been planted by a
Norwegian: the theory is that as it is
set to destroy data on Columbus Day a
diehard Norwegian, convinced that the
Vikings discovered the American
continent first, is taking revenge."
Nonetheless, the newsletter adds,
"Computergram prefers the idea that it
is all the work of the Sioux."
--
AT&T AND IBM WARN STAFF ABOUT DATACRIME
VIRUS
(Oct. 11)
Although industry experts say the
so-called Datacrime virus set to invade
MS-DOS systems on Friday, Oct. 13 is not
that great a threat, major corporations
are taking it quite seriously.
According to Reuter, several companies
are advising their employees to protect
their computer systems.
AT&T Co. and IBM Corp. have issued
internal memos warning staff members
about the virus.
"We are taking the virus threat
seriously," said an AT&T Bell
Laboratories spokesman.
AT&T has specifically asked employees
not use software from unknown sources
and to back up data, while IBM has
instructed staff members to use the
company's anti-viral software introduced
last week and to make copies of their
data.
"It's very, very rare but very
destructive," said Russell Brand, chief
technical advisor at Lawrence Livermore
Laboratories in Livermore, Calif.
Brand has examined the virus in an
infected computer and says that unlike
most viruses that allow the data to be
put back together, Datacrime has the
ability to wipe out a complete hard
disk.
Brand told Reuter that there are about
77 different viruses in circulation now.
"People are worried about viruses,
especially those that rely on their
PCs," said Michael Riemer, executive
vice president of Foundationware Inc., a
consulting firm in Cleveland. "But what
viruses have done is forced people to
look at security and system management
in place."
Mike Odawa, president of the Software
Development Council, told Reuter that he
does not anticipate any big problems
caused by Datacrime. "I think Friday
the 13th will come and everyone will be
disappointed by it," he said.
-- Cathryn Conroy
GOVERNMENT EMPLOYEES WARNED ABOUT
DATACRIME VIRUS
(Oct. 11)
The National Institute of Standards
and Technology is warning federal
agencies to be on guard against the
Datacrime virus, supposedly set to
attack MS-DOS computers this week.
According to Government Computer News,
NIST has issued the first governmentwide
guide on computer viruses in an attempt
to make security an integral part of any
computer course and to include computer
viruses in agencies' risk analyses and
contingency plans.
"With the widespread use of personal
computers that lack effective security
mechanisms, it is relatively easy for
knowledgeable users to author malicious
software and then dupe unsuspecting
users into copying it," says the guide,
which is titled Computer Viruses and
Related Threats: A Management Guide.
Ronald Shoupe, automation group leader
for NASA's Goddard Space Flight Center,
told GCN he found a virus contamination
that strongly resembles Datacrime. The
virus was on a machine Shoupe keeps
separated from others for virus
detection. He said the nature of the
virus is a mystery to him, since it
activates by itself.
"I've never seen anything that
triggered by itself. I don't know of a
way for a file to self-activate unless
it perhaps does something to the boot
track," he explained.
Shoupe said this was the only
occurrence of the Datacrime virus in
government computers of which he is
aware. "We're watching but treating it
as a rumor rather than a fact. We've
alerted the computer security officers.
We're trying not to broadcast this too
much," he admitted.
Richard Carr, computer security
program manager for NASA, said alerting
users to the danger only serves to
spread more rumors and give would-be
vandals ideas they might not otherwise
have.
"If we publicize some of the unfounded
rumors, some of the crazies out there
might try to make this a self-fulfilling
prophecy. We can't let these people
know what protective measures we have.
It's a tough call to make," said Carr.
He admitted that the ramifications of
a computer virus attack at NASA would be
enormous. One concern is the upcoming
launch of the next space shuttle early
next week.
NIST officials are urging government
employees to back up their hard disks
and consider using virus detection
utilities.
-- Cathryn Conroy
ANTI-VIRUS PUBLISHER GIVES TIPS FOR
VIRUS DETECTION AND REMOVAL
(Oct. 11)
You say you've done nothing special to
protect your computer and now the news
media keeps saying the viruses are
coming (...The Viruses Are Coming!) So,
what now?
Don't panic, says Cleveland- based
FoundationWare Inc., developer of the
Certus anti-virus security system.
You're probably going to come through it
just fine.
Saying the computing community needs
to meet the "current virus hysteria from
a calm, logical and pragmatic business
perspective," FoundationWare released an
extensive statement today that provides
specific tips for detecting and removing
the so- called Datacrime and Friday the
13th viruses, alleged to be set to
activate in MS-DOS computers starting
tomorrow.
But also FoundationWare urged
computerists not to over-react to the
current virus fears.
"The truth is that viruses are not as
common as widely believed," the
statement said. "If you have not already
taken action to protect yourself ... do
not worry about them now. Prepare
yourself and your employees should one
of your machines go down by having (data
only) backups available."
The software publisher also criticized
one-time, "quick fix" search programs
that look for blocks of code known to be
part of a specific virus, saying such
programs have inherently limited
capabilities.
"It's like buying a home security
system that protects against blond-hair
blue-eyed people," said FoundationWare
Vice President Michael Riemer, who is
also chairman of the Software Publishers
Association's security special interest
group. "You won't be protected if a
bald, brown-eyed person breaks into your
house."
Riemer suggested the computing public
needs to begin addressing viruses by
taking "a more global perspective,"
adding that such an approach would
include:
1. Regular data back-up.
2. Not backing-up data and programs on
the same diskettes.
3. Educating users on the threat of
malicious software.
4. Determining and implementing
appropriate integrity checking, security
and management mechanisms.
Regarding the Datacrime and Friday
the 13th viruses, the FoundationWare
report suggested that users look for
unexplained increases in file size, "a
telltale sign of most virus infections."
The company also noted the users could
determine if a disk has been infected by
using the MS-DOS DEBUG utility to scan
executable files in the following
manner:
A. For the Datacrime virus (also
called "Columbus Day" virus), use DEBUG
to scan .COM files for the Hexadecimal
codes EB00B4OECD21B4, AND/OR,
00568DB43005CD21. If the codes are
present, the system is infected, the
company said.
B. For the Friday the 13th Virus (also
called the Israeli virus), use DEBUG to
scan .EXE and .COM files for the
Hexadecimal codes 2EFF0E1F00,
E992000000, AND/OR 7355524956.
The company also made a number of
suggestions for removing viruses,
(though it acknowledged the methods
aren't foolproof nor recommended as "a
complete solution" for fighting these or
future viruses). The suggestions are:
-:- Never attempt to remove or isolate
a virus from a currently active
computer. Instead, boot from a clean
original and write-protected DOS floppy
disk.
-:- On a local area network, first
check network operating system files on
local drives before logging onto the
network. Isolate LAN/PCs, so that there
are no active users beside you.
-:- If you think you have the Friday
the 13th or Datacrime virus (which are
keyed to specific days), give yourself
some extra time before they activate by
simply changing your system time/date to
an earlier date, such as January 15,
1989.
-:- To create a clean system, boot
your computer from an original,
write-protected DOS floppy disk and run
your backup program (from your original
write-protected floppy source) and
back-up only your data (not your
programs). Perform a low-level and DOS
FORMAT using programs from the original
write- protected distribution disks (not
from your hard disk), then reinstall the
software from original write-protected
disks and restore the "data-only"
backup.
-:- If you isolate a virus which is
present in your system's boot track or
partition table (this will not be either
the Datacrime or Jerusalem virus), you
have other options. You should boot from
a write-protected original DOS floppy
disk and run a disk utility program that
can replace the partition table. (Note:
be sure the operator is very familiar
with such a program before using it).
-:- If you believe that a virus is in
the boot track (IO.SYS, MSDOS.SYS) or
the operating system (COMMAND.COM), you
can take still other measures. Boot from
a write-protected original DOS floppy
disk and run the "SYS C:" command from
the clean floppy disk which then
replaces IO.SYS and MSDOS.SYS files. You
should then type "DEL COMMAND.COM" and
replace it with a clean copy of
COMMAND.COM from the A: drive.
Finally, speaking of viruses in
general, the FoundationWare statement
notes that if you suspect your system is
infected, you should delete all
suspected files (that is, all .EXE and
.COM program files) and those found to
contain a virus and then replace the
questionable software with "trusted
copies" from the original
write-protected distribution disks.
Also, the report notes, "It has been
suggested that using standard DOS DEL,
ERASE or COPY may in some instances not
be enough to remove the infected program
(though for these two viruses DELETE and
ERASE are adequate). It is recommended
that you use a program which actually
writes over (the) program area to
completely eradicate infected files."
--
VIRUSES STRIKE IN EUROPE
(Oct. 13)
As many predicted all along, the
computer viruses that struck today on
this Friday the 13th didn't mean the end
of computing as we know it. Still, the
day also was not completely free of
system vandalism caused by the rogue
programs.
While confirmed virus attacks appear
to have been few and minor in the United
States, more serious incidents occurred
in Europe, with virus-related computer
problems reported in Great Britain, the
Netherlands, Portugal, France and
Switzerland.
As noted earlier, the computing
community was bracing itself for a
double-whammy of virus assaults this
week, from the so-called
Datacrime/Columbus Day virus starting
yesterday and from the Friday the
13th/Jerusalem virus today.
In the US, at least one CompuServe
subscriber reported a virus incident.
Writing on the message board of the IBM
Systems/Utilities Forum (GO IBMSYS), Tom
Ohlson told his fellow forum members
that a friend of his in Staten Island,
N.Y., had used a copy of an anti- virus
program called SCAN40, downloaded
earlier from the forum, to locate the
Datacrime virus. Ohlson said the friend
had traced the virus to a copy of a game
program that was passed around on a
floppy disk.
Elsewhere in New York, security
specialist Ross M. Greenberg, creator of
Flu-Shot Plus and Virex-PC anti-viral
software, told The Associated Press that
by midmorning he had received seven
reports of virus strikes since midnight,
but that only one was the Columbus Day
virus.
Greenberg reported that a dozen PCs at
Columbia University in New York City
were affected, but that the university
had made backup files, so the virus was
merely an inconvenience.
The other six virus reports concerned
what he called the "PLO virus," an older
virus designed to erase programs every
Friday the 13th. Greenberg said earlier
the PLO virus was far more widespread
and likely would cause more trouble
today than newer viruses.
Meanwhile, in Urbana, Ill., Michael
Harper, a staff person at the University
of Illinois' Micro Resource Center, told
United Press International a virus was
detected in some of the campus's 1,000
terminals, but that the university was
able to treat the computers before it
did any damage. "We're definitely
breathing easier," Harper said.
He said a virus was introduced on
campus by a piece of software used for
inputting scientific data. The
university now has a installed an
anti-virus warning program.
And now, from assorted wire
dispatches, here are virus incidents
reported elsewhere in the world today:
-:- Great Britain:
In perhaps the worst virus assault
of the day, computers at London's Royal
National Institution for the Blind were
infected by what experts are saying was
a previously known virus.
"We found that most of our program
files are gone," Corri Barrett of the
institute told reporters. "Every time we
try to look at a new program file it
vanishes in front of our eyes. It's
horrendous. Months and months of work
has been wiped out here."
Barrett told a BBC-TV interviewer the
virus might have contaminated disks
distributed to blind clients and that
their systems had been infected.
-:- The Netherlands:
In the Netherlands, where the first
alert of the so-called Datacrime virus
was given last summer, a unit set up to
hunt viruses said it had been flooded
with telephone calls from panicked users
today. Many told the officials they had
"lost everything, all their data stored
in memory and all their programs,"
according to a spokesman.
At the social affairs ministry, a
spokesman said yesterday the Datacrime
virus had been isolated and destroyed
"on several occasions" in recent days.
Also, Amsterdam university managed to
kill the Datacrime virus in time to save
its data, an official told Dutch
television yesterday.
In addition, the "Jerusalem" virus,
detected four times in the microcomputer
network of the Dutch rail company, was
rooted out before today, when it was
still dormant, a spokesman said.
-:- Portugal:
In Lisbon, at least two infected
computers flashed ominous warning
messages across their screens,
triggering panic among users.
The first, the "Friday the 13th"
virus, cropped up in the computer system
of a bank. The second, said to be of a
strain dubbed "Pakistan," attacked
computers at a medium-size company. In
both cases, the viruses were
neutralized, a spokesman for a
Portuguese computer association said.
-:- France:
Daniel Dutil, in charge of a special
unit set up to search and destroy the
viruses, said that fewer than one
percent of that nation's PCs were
contaminated, adding, "It's a normal
situation, if you take into account that
viruses are always found in computer
programs."
Dutil said some 2,000 computer
programs had come under the harsh
scrutiny of his unit, dubbed the
anti-viral platform, since it opened its
campaign to wipe out the viruses on
Tuesday. He said that whenever viruses
were programmed to awaken from their
dormant state and activate themselves on
symbolic dates such as January 1, April
1 or July 14, there was usually only
"slight virus activity similar to that
observed today."
Meanwhile, Guy Hervier, an
administration official at the
University of Nice in southern France,
said yesterday a virus scheduled to
activate today was discovered in the
university's computer lab in June but
was easily detected and destroyed.
-:- Switzerland:
Bernhard Schmid, head of the federal
personal computer team, said several
dozen of the government's 3,500 personal
computers were found to have been
carrying a virus. However, experts
managed to cancel and reprogram all
infected systems. He said infected
programs had been found in a wide range
of administrative branches.
--
VIRUS EXPERTS CITE PREPAREDNESS,
EXAGGERATION, BUSINESS SILENCE
(Oct. 14)
On the morning after, some computer
experts today were saying yesterday's
reported low incidence of virus assaults
was due to the exaggeration of the
threat all along, while others were
crediting the computing community's
preparedness due to early warnings.
Meanwhile, another observer said the
number of virus attacks actually may
have been greater than we realize,
because many corporate users are
reluctant to publicize computer security
violations at their businesses.
Wes Thomas, editor of a new electronic
newsletter called Virus Alert, told The
Associated Press his group received 50
unconfirmed reports of virus outbreaks
worldwide and that a headquarters was
set up in San Francisco to study the
cases.
"There's a lot of false positives,"
Thomas said. "We are attempting to form
a center for disease control for
computer viruses so we can centralize
information and find out what's going
on." Thomas said he helped spread the
word about the so- called Columbus Day
or Datacrime virus after attending an
August meeting in Amsterdam where the
rogue program was discussed.
Actually, most of the reported virus
attacks over the past two days seemed to
have been the work, not of Datacrime,
but of the older Friday the 13th or
Jerusalem virus that was first
discovered at Hebrew University in
December 1987.
Experts disagree, but one report is
that there now are about 30 different
computer virus strains making the
rounds.
Fred Cohen, an independent researcher
in Pittsburgh who is credited with
exposing the first computer virus in
1983, told AP he believes this week's
outbreaks were kept down because
computer users took proper precautions.
"Everybody was looking for it."
However, Cohen also cautioned, "This
is a long-term sort of threat. It's like
biological warfare."
Speaking with the Reuter Financial
News Service, John McAfee, chairman of
the Computer Virus Industry Association,
said he saw no rise yesterday in
reported computer virus problems, which
he said usually number 30 to 40 a day.
Elsewhere, Winn Schwartau, president
of American Computer Security Industries
Inc., told Reuter he had been informed
of 25 outbreaks of the Friday the 13th
version this week at organizations
ranging from universities to banks.
"It's not Armageddon -- it's not going
to all come at once crashing down around
us," he said, but he added the impact
actually could last for months as new
strains develop.
He said the customer base of his
company, which was started five years
ago, has increased 50 to 100 times in
the past 30 days because of fear of the
viruses after rumors began spreading in
late August.
He also said accurate virus reports
are difficult to gauge, because most
companies consider the damage to be
confidential information.
"Major corporations don't want the
publicity," Schwartau said.
--
ONLINE TODAY'S BACKGROUNDER: COMPUTER
"VIRUS," PART SIX
(Editor's note: Computer "viruses" --
self-propagating programs that spread
from one machine to another and from one
disk to another -- have been very much
in the news. This file contains
virus-related stories carried by Online
Today's electronic edition beginning in
late October 1989.)
VIRUS DESTROYS DATA IN TOKYO
(Oct. 30)
An official at the University of Tokyo
has confirmed a computer virus has
caused at least minor damage to some
research information at the school.
A representative of the university's
Ocean Research Institute has told The
Associated Press the virus was detected
earlier this month in four or five of
the center's 100 computers, but was
believed to have first infected the
computers last month.
The official who requested anonymity
told the wire service the virus was
found only in personal computers being
used by researchers, and not major
computer systems, adding the damage was
not serious.
The source declined to give further
details, but AP says the Japan
Broadcasting Corp. has reported a virus
also had been found in computers at the
university's Earthquake Research
Institute. That report said the virus
was the most sophisticated yet detected
in Japan, where the problem is not
widespread.
--
10 PERCENT OF CHINESE COMPUTERS STRUCK
BY VIRUSES, NEWSPAPER SAYS
(Nov. 5)
A newspaper in Beijing reports 10
percent of China's some 300,000
computers have been struck by computer
viruses.
The Xinhua Chinese news service quotes
a report yesterday in the China Daily as
saying three types of viruses have been
found so far, called "small ball,"
"marijuana" and "the shell." The paper
says universities and statistical
bureaus have been particularly hard hit
by the viruses.
Reporting on a computer security
conference in the southwest city of
Kunming, the English-language daily
quoted Yang Zhihui, deputy chief of the
Ministry of Public Security's computer
security department, as saying, "We have
already worked out some vaccination and
sterilization programs for the virus."
Yang said the wide variety of
computers in use in China -- both
foreign and domestic -- makes it hard
for a sweeping sterilization campaign to
be carried out.
The newspaper said the estimate that
one in 10 Chinese system have been virus
victims was reached by the Ministry of
Public Security following a survey last
August. The paper did not say how many,
if any, computers in China were struck
by the well- publicized "Friday the
13th"/"Datacrime" viruses last month.
However, regarding the "small ball"
virus -- which reportedly was found in
statistical bureaus in 21 provincial,
municipal and regional offices -- the
paper gave this description of an
attack:
"A computer was doing its word
processing, the cursor blinking brightly
on the screen. Suddenly, a jumping white
ball appeared. Then a second one and a
third. Slowly the screen was full of
them. Operation stopped." The paper said
the "small ball" virus can slow down or
halt computer operation, but it does not
appear to affect memory.
--
CONGRESS URGED TO BE CAUTIOUS IN
WEIGHING ANTI-VIRUS/WORM LAWS
(Nov. 8)
The president of the Computer and
Business Equipment Manufacturers
Association says Congress should be
cautious in making laws to fight
computer viruses, because, "Like the
swine flu vaccine of the 1970s, these
anti-virus bills could end up doing more
harm than good."
In remarks prepared for a hearing of
the House Judiciary subcommittee on
criminal justice, John L. Pickitt added,
"Outlawing some of the programming
techniques used to create computer
viruses might prevent the use of similar
programs for beneficial purposes,
including countering a virus."
Associated Press writer Barton Reppert
notes Pickitt, whose Washington-based
trade association represents companies
with combined sales of more than $230
billion, aimed his criticism at three
anti-virus bills, including those
sponsored by Reps. Wally Herger,
R-Calif., C. Thomas McMillen, D-Md., and
Edward J. Markey, D-Mass.
"The same sharing techniques which
make computer networks vulnerable to
virus attack can also be responsible for
breakthroughs in electronics and
telecommunications technology," Pickitt
said. "While Congress may wish to clean
up some of the language in the current
laws ... we urge Congress to act
cautiously in considering new criminal
statutes to deal with computer viruses."
Of bills currently under
consideration, Reppert observed:
-:- Herger's measure would impose
penalties of up to 20 years in prison on
people convicted of "interfering with
the operations of computers through the
use of programs containing hidden
commands that can cause harm."
-:- The McMillen bill seeks to punish
anyone who "willfully and knowingly
sabotages the proper operation of a
computer hardware system or the
associated software."
-:- Markey's proposal is to make the
introduction of a virus into an
interstate electronic network a federal
crime.
--
CONGRESS HEARS TESTIMONY ON THE COST OF
VIRUS ATTACKS
(Nov. 9)
A computer security official with the
EDP Auditors Association has estimated
for Congress that "hundreds of
thousands" of computer virus attacks
have occurred in recent years on the
systems of American corporations and the
government.
However, most attacks go unreported,
said specialist Carolyn Conn, "because
there is not a high expectation of
successful prosecution." Also, she said,
"Organizations do not want to publicize
their vulnerabilities when seemingly
there is little or no benefit" from
public disclosure.
Associated Press writer Barton
Reppert, covering Conn's appearance
yesterday afternoon before the House
Judiciary subcommittee on criminal
justice, quoted her as testifying that
the costs of viruses are "staggering."
Said Conn, "Viruses have cost
corporations, government agencies and
educational institutions millions of
dollars to prevent, detect and recover
from computer virus attacks."
Conn, whose Illinois-based EDP
Auditors Association represents some
9,000 electronic data processing
professionals across the country, made
her estimate of the number of virus
attacks in response to questions by the
congressional subcommittee.
Reppert reports the panel chairman,
Rep. Charles E. Schumer, D-N.Y., asked
her for a estimate of the overall number
of virus attacks that have occurred in
recent years. "Is it tens, is it
hundreds, is it thousands?" he asked.
Ms. Conn replied, "I think probably in
the hundreds of thousands."
--
BAR ASSOCIATION FEARS LOOPHOLES IN
EXISTING VIRUS/WORM LAWS
(Nov. 13)
The chairman of the American Bar
Association's task force on computer
crime has told a House subcommittee he
is concerned about loopholes in existing
laws that cover computer viruses, worms
and similar rogue programs.
"There are clearly some types of
computer virus activity that would be
beyond the terms of the current
statute," Joseph B. Tompkins Jr.
testified recently before the House
Judiciary subcommittee on criminal
justice.
Associated Press writer Barton Reppert
reports Tompkins and other witnesses
posed several questions about activities
that they said might fall through the
cracks of ambiguous federal laws, such
as:
-:- If a renegade programmer sends a
program containing a hidden virus to a
computer bulletin board system, can he
or she then be prosecuted for harm that
results when other BBS users transfer
the software into their own systems?
-:- Can virus/worm authors be
successfully prosecuted if they claim
they really didn't have any malicious
intent, but instead were merely trying
to pull off an innocent prank or aiming
to demonstrate existing weaknesses in
security?
Witnesses said that under current
federal law, the answer to both
questions is "maybe."
Tompkins said the Computer Fraud and
Abuse Act of 1986 -- which makes it a
federal crime to "intentionally access a
federal interest computer without
authorization and alter, destroy or
damage information in such computer or
prevent authorized access to such
computer if such conduct causes the loss
of $1,000 or more during any one-year
period" -- is not clear enough.
For instance, he testified, "The
statute does not in clear terms cover
the intentional implantation of a
computer virus in a computer which one
is authorized to access, even if the
perpetrator clearly intended harm or the
virus in fact caused significant harm."
He said the law also has been attacked
as unconstitutionally vague. "While
these arguments are probably overstated,
clarifying the statute might prevent
such arguments from being raised and
might encourage prosecutors to make more
frequent use of the statute," Tompkins
said.
--
`CONDOMS' FOR DISKS MAKE GAG GIFT
(Nov. 27)
In Christmases past, gag gifts for
computerists have ranged from chocolate
disks to empty "vaporware" packages.
This year.... well... A Fremont, Neb.,
firm called Tekservices Inc. has
announced "Safedisk," a product
described as a "poly floppy disk
condom."
The Associated Press notes word of
Safedisk spread recently after TV
talk-show host Arsenio Hall tittered
about it on his late- night program.
Stephen Nabity -- the 33-year- old
"Dr. Safedisk" -- told AP he got the
idea while watching a news broadcast
about a predicted outbreak of computer
viruses earlier this autumn.
"It came to me that people should
practice safe whatever-they-do," Nabity
said. "A lot of computer viruses were
going around."
He acknowledged his product doesn't
actually protect against viruses, but he
hopes that, at $7.95, it will be
considered a possible stocking-stuffer
for computer buffs.
--
COMPANY OFFERS VIRUS INSURANCE
(Dec. 2)
Allstate Insurance Co. may be the
first insurer to reimburse customers who
encounter the destruction of programs
and data caused by computer viruses.
Currently, the company offers
inexpensive riders to its homeowners and
renters insurance to cover other types
of damage to personal computers.
The new virus coverage is included at
no additional cost for customers who
currently have in effect a Standard
Electronic Data Protection Policy. The
data protection policy was originally
designed for owners of small
businesses.
Though existing virus protection
insurance carries a $100,000 limit,
higher amounts are available at an
additional cost. No claims have yet
been filed on any of the policies
currently in force.
Until recently, Safeware was the only
mass-market insurer with a large base of
policies issued to owners of personal
computers. The company specializes in
insuring computer equipment against
theft, natural disasters and accidental
damage. It does not pay for damages
caused by electrical problems or
viruses.
--
BRITISH GROUP WARNS OF POSSIBLE TROJAN
HORSE IN AIDS INFO DISK
(Dec. 13)
In London, the chairman of a PC users
group is warning computer users to avoid
a mailed floppy disk that purports to
give information about AIDS. He says the
disk might contain a "Trojan horse"
sabotage program.
Speaking with The Associated Press,
Dr. Alan Solomon, who leads the IBM
Personal Computer Users Group, said
several thousand of the disks -- called
"The AIDS Information Introductory
Diskette" -- have been mailed to
computer users.
Solomon, who also heads a British
company called S and S which specializes
in the examination of computer viruses,
said users' addresses may have been
taken from computer magazines. He said
the full effect of the suspected Trojan
horse program are not yet known.
He told AP he received one of the
disks in the mail on Monday bearing a
Panama postal box address. He said he
feared more could arrive in the mail
this week.
Said Solomon, "There is no urgent
panic in the short term but if (the
disk) has already been installed I would
advise (computer users) to seek urgent
help because it is a nasty thing." He
commented that few experienced computer
users would risk installing an
unsolicited disk without first checking
it, but that some less experienced users
might.
AP says a letter accompanying the disk
asks for payment of $189 for one type of
license and $378 for another.
--
VANDALIZED AIDS INFORMATION DISK WORRIES
COMPUTERISTS WORLDWIDE
(Dec. 14)
Word out of London of an apparently
vandalized computer diskette has caused
concerns among AIDS researchers around
the world and now has prompted one
computer virus expert to call the
incident a "well-orchestrated and
undeniably well-financed terrorist act."
As reported here, Chairman Alan
Solomon of London's IBM Personal
Computer Users Group was first to sound
a warning to computer users to avoid a
mailed floppy disk called "The AIDS
Information Introductory Diskette,"
because, he said, the software might
contain a "Trojan horse" sabotage
program that destroys data.
Since that announcement, there have
been these developments, according to
The Associated Press in Britain and in
the US:
-:- London's Scotland Yard issued a
warning to banks, hospitals,
universities and other institutions to
be on guard against the disk.
Investigators there say the disks have
destroyed information in at least 10
computers.
-:- Among those reported to have
received the disks are the London Stock
Exchange, British Telecommunications
PLC, which runs most of the nation's
phone network, the Midland Bank, Lloyds
Bank, the Australia and New Zealand Bank
in London, as well as universities,
hospitals and public health
laboratories.
-:- The British newspaper The Guardian
reports computer systems in hospitals
are among those damaged. It said the
disks also turned up in California,
Belgium and Zimbabwe but gave no
details.
-:- The British domestic news agency
Press Association quotes an unnamed
Health Education Authority spokesman as
saying a contact in Norway also received
a disk.
-:- In the US, the Rand Corp., which
has 15 people working on acquired immune
deficiency syndrome research, has warned
its employees. Ann Shoben, a spokeswoman
for the Santa Monica, Calif., research
firm, told AP, "We're safe. We have not
been hit. The concern is for others that
use personal computers and those who
work on AIDS research might pick up this
program and have their databases
destroyed."
-:- Also in the US, Chase Manhattan
Bank reportedly was one of the first to
report problems with the software.
As reported yesterday, several
thousand disks were believed to have
been mailed to London area computer
users. Officials there say users'
addresses may have been taken from
computer magazines. Now the UK police
say many of the disks were mailed in
London's South Kensington district.
A letter accompanying the disk asks
for payment of $189 for one type of
license and $378 for another. The letter
warns that if the money is not paid, the
sender will use program mechanisms to
stop a computer functioning normally.
Also, the program carries this ominous
advisory: "Warning: Do not use these
programs unless you are prepared to pay
for them."
Joe Hirst, former technical editor of
Virus Bulletin and a consultant on
computer software, told AP's Michael
West in London there are two programs on
the disk.
"The first," Hirst said, "is an
installation program and the second is a
questionnaire on the risk of AIDS which
will not run unless it is installed on a
hard disk. It then prints off an invoice
for a company in Panama, but the damage
has already been done by the
installation."
Apparently, that Panama company is
bogus. The London Guardian newspaper
quotes the letter as saying the money
demanded should be sent to "PC Cyborg
Corporation" at a box number in Panama.
However, neither the corporation nor the
box number -- 87-17-44 -- exists.
(The Guardian adds that the American
computer software company called Cyborg
Systems and its British subsidiary sent
warnings to customers yesterday that it
was not involved in this incident.)
AP's West said computer companies in
UK believe addresses for receiving the
disks were obtained from PC Business
World, a British weekly trade paper on
computing. Police say PC Business World
sold its 700-name mailing list in good
faith to someone claiming he wanted to
publicize the export of computers to
Nigeria.
Another London newspaper, The
Independent, reports the list was bought
for about $1,300 by a Kenyan businessman
identified as "E. Ketema."
Says the paper, "Mr. Ketema had taken
out a short-term subscription with The
Business Center in New Bond Street,
London, to receive mail and telephone
messages on his behalf while he was in
the country from Oct. 31 to Nov. 30. He
described himself as an accountant, but
the center does not know his first name,
nor does it have a forwarding address."
Meanwhile, in the US, the Rand Corp.
said it warned its employees of the disk
after receiving an advisory from
computer virus expert John McAfee.
McAfee, chairman of the Computer Virus
Industry Association of Santa Clara,
Calif., told AP writer Louinn Lota it is
unusual for his group to issue such a
blanket warning against a particular
disk, but because he has received calls
from PC users around the world, he
believes the threat is real.
"This is not a hoax," McAfee said.
"This is not a simple case of a hacker
in a back bedroom somewhere. It is a
well orchestrated and undeniably well
financed terrorist act. Few groups or
individuals can afford to waste hundreds
of thousands of dollars to bring harm to
a party and bring nothing in return."
He said he believes the topic of AIDS
was used by the creator of the damaging
program because many computer users are
likely curious about the disease. People
are encouraged to use the disk because
it is advertised as being able to
predict the chances a person has of
contracting AIDS, he said.
"Unlike an accounting program," McAfee
added, "this is a subject everyone is
aware of and virtually all people will
want to learn more about risks of having
AIDS."
--
MICROCOM BUYS ANTI-VIRUS COMPANY
(Dec. 26)
For undisclosed terms, software
publisher Microcom Inc. has acquired HJC
Software Inc., a Durham, N.C., firm that
markets programs for detecting and
eliminating viruses in Apple Macintosh
systems.
In a statement from Norwood, Mass.,
Microcom says the virus software product
line -- called Virex -- will be
integrated with its own Carbon Copy Plus
and Relay Gold communications packages.
Microcom President/CEO James M. Dow
said the Virex products "are a key
addition to our strategy of providing
comprehensive network administration and
management tools for the end user."
Dow noted that because of the large
number of users sharing files, PCs and
their networks "have been especially
vulnerable to viruses." He said the
Virex product line "will substantially
reduce the likelihood of catastrophic
failure for many PC and PC network
users."
--
From 1990 files:
NEWSBYTES COMPUTER HIT BY VIRUS
(Jan. 2)
Newsbytes News Service reports the
Apple Macintosh SE/30 used at its San
Francisco headquarters was infected just
before Christmas by what the editor
describes as one of the faster-
spreading computer viruses on record,
called WDEF A and WDEF B.
"Before the problem was pinpointed,"
editor Wendy Woods reports, "the virus
had spread to every unlocked floppy disk
and hard disk in use."
Woods quotes John Norstad of
Northwestern University as saying the
virus that struck Newsbytes was
discovered in early December by
programmers in Belgium. Since then, he
said, it has spread throughout the US in
the past few weeks and now is reported
at "virtually every major university."
The WDEF virus is said to cause Mac
windows to close, icons to fail to
appear, files to be listed as "locked,"
system error messages to flash on the
screen and applications to crash and
sometimes causes the computer to fail to
start at all.
Norstad -- author of Disinfectant, a
free program that combats the virus --
told Newsbytes that WDEF infects the
invisible Desktop files used by the
Mac's Finder. It does not infect
applications, document files or other
system files.
"Unlike the other viruses," Woods
reported, "it is not spread through the
sharing of applications, but rather
through the sharing and distribution of
disks, usually floppy disks."
Norstad says the virus can be removed
easily: hold down the option and command
keys until the complete desktop has
appeared on screen; this procedure
rebuilds the desktop and eradicates the
virus, he said. Also, his free
Disinfectant 1.5 now is appearing in the
libraries of most major Macintosh
services online.
According to Norstad, the virus
doesn't intentionally do damage, but it
can cause performance problems on
Appleshare networks with Appleshare
servers.
Newsbytes said there have been at
least two reports that WDEF can damage
disks. "The virus is known to create
havoc at the Desktop level of a
computer," the wire service said, "but
also causes crashes when a file is saved
under Multifinder. It causes problems
with the proper display of font styles,
the outline style in particular. When an
infected disk is loaded into a Mac IIci
or Portable, the computer will crash."
Downloaded From P-80 International Information Systems 304-744-2253